Snort mailing list archives
Re: Snort and Proxmox
From: Josh Bitto <jbitto () onlineschool ca>
Date: Tue, 29 Jan 2013 08:35:07 -0800
No offense taken...I neglected to mention that I did actually turn the HTTP preprocessors on. The result is the same. I'm not sure what the issue would be....I'll try to go into deeper detail. So we have our regular production network that does our daily production.....aside from that I have a server sitting on my desk with proxmox installed. I've already mentioned that I change the interface config file in proxmox which you can see. So then in proxmox I created 2 VM's....winxp and the other pfsense.... In pfsense on the WAN interface I've allowed our dhcp server to assign an IP. The LAN interface is a static with an IP range so I can have the xp machine get its IP from it. So...I'm able to listen to traffic....ping outside website's everything so I know I have connectivity. Load up pfsense....install the package option they give...download an oinkcode...update....everything is turned and running.....the only thing it doesn't do is report anything. The problem continues when I reboot/restart anything pertaining to either pfsense or snort service......Snort will not restart and the service doesn't run at all. I'm at a loss.....If you're sure that snort isn't that buggy then maybe I have a conflict with my setup that snort doesn't like...I don't know -----Original Message----- From: waldo kitty [mailto:wkitty42 () windstream net] Sent: Monday, January 28, 2013 6:35 PM To: snort-users () lists sourceforge net Subject: Re: [Snort-users] Snort and Proxmox On 1/28/2013 17:26, Josh Bitto wrote:
ok I'm getting this....this might help snort[32057]: FATAL ERROR: /usr/local/etc/snort/snort_63566_re0/rules/snort.rules(26) Please enable the HTTP Inspect preprocessor before using the http content modifiers Jan 28 14:25:23 snort[32057]: FATAL ERROR: /usr/local/etc/snort/snort_63566_re0/rules/snort.rules(26) Please enable the HTTP Inspect preprocessor before using the http content modifiers
is this some kind of deja vu or some sort of posting regurgitation? i specifically remember seeing some posts like this a few months ago :( the answer is right there about enabling the http inspect processor :? my apologies if this seems "out of sorts" and "ugly" :/
________________________________________ From: Jeremy Hoel [jthoel () gmail com] Sent: Monday, January 28, 2013 2:21 PM To: Josh Bitto Cc: snort-users () lists sourceforge net Subject: Re: [Snort-users] Snort and Proxmox See that last part says Jan 28 21:49:22 pfSense php: /status_services.php: The command '/usr/local/etc/r c.d/snort.sh stop' returned exit code '1', the output was '' Did you stop snort, or is there a process on pfSense stopping it? On Mon, Jan 28, 2013 at 10:14 PM, Josh Bitto<jbitto () onlineschool ca> wrote:This is the only thing that I have in my log file pertaining to snort..... Jan 28 13:49:07 pfSense syslogd: kernel boot file is /boot/kernel/kernel Jan 28 13:49:18 pfSense SnortStartup[23952]: Snort STOP For WAN Interface(63566_ re0)... Jan 28 13:49:19 pfSense snort[6973]: *** Caught Term-Signal Jan 28 13:49:19 pfSense snort[6973]: *** Caught Term-Signal Jan 28 13:49:19 pfSense kernel: re0: promiscuous mode disabled Jan 28 13:49:20 pfSense snort[6973]: Could not remove pid file /var/run/snort_re 063566.pid: No such file or directory Jan 28 13:49:20 pfSense snort[6973]: Could not remove pid file /var/run/snort_re 063566.pid: No such file or directory Jan 28 13:49:20 pfSense SnortStartup[25382]: Snort STOP For LAN Interface(7224_r e1)... Jan 28 13:49:21 pfSense snort[8538]: *** Caught Term-Signal Jan 28 13:49:21 pfSense snort[8538]: *** Caught Term-Signal Jan 28 13:49:21 pfSense snort[8538]: Could not remove pid file /var/run/snort_re 17224.pid: No such file or directory Jan 28 13:49:21 pfSense snort[8538]: Could not remove pid file /var/run/snort_re 17224.pid: No such file or directory Jan 28 13:49:21 pfSense kernel: re1: promiscuous mode disabled Jan 28 21:49:22 pfSense php: /status_services.php: The command '/usr/local/etc/r c.d/snort.sh stop' returned exit code '1', the output was '' Jan 28 13:49:22 pfSense SnortStartup[41673]: Snort STOP For WAN Interface(63566_ re0)... system.log: unmodified: line 1 ________________________________________ From: Jeremy Hoel [jthoel () gmail com] Sent: Monday, January 28, 2013 1:58 PM To: Josh Bitto Cc: snort-users () lists sourceforge net Subject: Re: [Snort-users] Snort and Proxmox You never listed what errors you might be having, or when it crashes what errors it gives (/var/log/messages probably?) so it's hard to know what the problem might be. On Mon, Jan 28, 2013 at 9:51 PM, Josh Bitto<jbitto () onlineschool ca> wrote:I don't know if this could be the issue or not. For some reason I am still not able to start the service. The only way to actually show that it's working is to completely uninstall snort and then install it again. I'm beginning to think this program is really buggy on pfsense virtual machine. -----Original Message----- From: Jeremy Hoel [mailto:jthoel () gmail com] Sent: Monday, January 28, 2013 12:40 PM To: Josh Bitto Cc: snort-users () lists sourceforge net Subject: Re: [Snort-users] Snort and Proxmox So, when snort is running, it listens on an interface (or many). that's part of the snort config, telling it what interface to listen on. Once it's running and listening on the interface, if it seems packets/traffic that matches the rules it alerts/passes/drops/etc.. When you startup snort, near the end of the messages that it spits out it should tell you what interface it's listening on: "Jan 28 20:38:53 iiaabqst001 snort[23678]: Acquiring network traffic from "eth1"." Look for that, that's the port snort is listening on to process packets. Then go back to TCP dump and see if you are seeing all packets for all the traffic, or just certain packets to that address. On Mon, Jan 28, 2013 at 8:02 PM, Josh Bitto<jbitto () onlineschool ca> wrote:Sorry about that... I did the tcpdump on the pfsense machine for the 2 interfaces. I don't really know how to plug snort into that equation to see if snort "see's" traffic or not. -----Original Message----- From: Jeremy Hoel [mailto:jthoel () gmail com] Sent: Monday, January 28, 2013 11:58 AM To: snort-users () lists sourceforge net Subject: Re: [Snort-users] Snort and Proxmox Ok, so snort is up, and you say its seeing all packets, but the rules aren't firing? What is your snort output set as? Hve you tried using syslog or portfast just so you can see the output vs it going to a binary file? Also, please reply to the list, so that others might be able to chime in or help out. On Mon, Jan 28, 2013 at 7:55 PM, Josh Bitto<jbitto () onlineschool ca> wrote:Ok I got that working again....On to my original issue.....Yes I was able to do a tcpdump on both interfaces (WAN and LAN) they both are listening to packets. -----Original Message----- From: Jeremy Hoel [mailto:jthoel () gmail com] Sent: Monday, January 28, 2013 11:33 AM To: Josh Bitto Subject: Re: [Snort-users] Snort and Proxmox Check the system logs to see if it gives you an error message. If it's set to start, but then isn't running after boot, it probably failed for some reason. Snort is pretty good about telling you why it stopped. On Mon, Jan 28, 2013 at 7:19 PM, Josh Bitto<jbitto () onlineschool ca> wrote:Well to further my problem......Last week it was working fine. I come in this morning to start working and start up the VM's and I'm showing the service not even running in PFsense. I restart everything even reinstall the snort package. Even on boot up it shows snort service started......but looking at top and also via the web gui it actually isn't running.....Any ideas? -----Original Message----- From: Jeremy Hoel [mailto:jthoel () gmail com] Sent: Monday, January 28, 2013 11:13 AM To: Josh Bitto Cc: snort-users () lists sourceforge net Subject: Re: [Snort-users] Snort and Proxmox You should start with running TCPdump on the listening interface on the snort box to make sure it's seeing the packets you expect it to see. On Mon, Jan 28, 2013 at 5:12 PM, Josh Bitto<jbitto () onlineschool ca> wrote:Hello Everyone, I'm new on using snort and I'm needing to lean on your expertise. We've decided to use snort on our network and in doing so I've setup a small test lab away from the actual network to see how this IDS works. So here's the problem.....I can't get snort to show any logs. I want to be able to see if it's actually working or not. I set up a stand-alone server with proxmox on it. Created 2 VM's One is Pfsense The other is just a xp machine. In proxmox interface.conf looks like this. Config looks like this: Auto lo Iface lo inet loopback Auto VMbr0 Iface vmbr0 inet static Address 192.168.3.15 Netmask 255.255.252.0 Gateway 192.168.1.1 Bridge_ports eth0 Bridge_stp off Bridge_fd 0 Auto vmbr1 Iface vmbr1 inet manual Bridge_ports eth1 Bridge_stp off Bridge_fd 0 I did everything to spec in pfsense....its pretty straight forward. 1. Setup the interface on pfsense to match in proxmox 2. Downloaded the snort package 3. Obtained a oinkmaster code 4. Created the WAN interface in snort. 5. Checked ALL the rules to activate them. 6. Even restarted both pfsense and the snort service. I just for some reason can't get the darn thing to log events....as a test. I activated teamviewer rules and tried to block an event and couldn't get it to do that. So my thinking is....Its somewhere at the interface. I just don't know what I need to do. Any help would be greatful!
------------------------------------------------------------------------------ Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS, MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft MVPs and experts. ON SALE this month only -- learn more at: http://p.sf.net/sfu/learnnow-d2d _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news! ------------------------------------------------------------------------------ Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS, MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft MVPs and experts. ON SALE this month only -- learn more at: http://p.sf.net/sfu/learnnow-d2d _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Re: Snort and Proxmox, (continued)
- Re: Snort and Proxmox Jeremy Hoel (Jan 28)
- Re: Snort and Proxmox Josh Bitto (Jan 28)
- Re: Snort and Proxmox Jeremy Hoel (Jan 28)
- Re: Snort and Proxmox Josh Bitto (Jan 28)
- Re: Snort and Proxmox Jeremy Hoel (Jan 28)
- Re: Snort and Proxmox Josh Bitto (Jan 28)
- Re: Snort and Proxmox Jeremy Hoel (Jan 28)
- Re: Snort and Proxmox Josh Bitto (Jan 28)
- Re: Snort and Proxmox Josh Bitto (Jan 28)
- Re: Snort and Proxmox waldo kitty (Jan 28)
- Re: Snort and Proxmox Josh Bitto (Jan 29)
- Re: Snort and Proxmox waldo kitty (Jan 28)