Snort mailing list archives
Re: no IDS logs from snort
From: Kevin Thomas <kpt2078 () gmail com>
Date: Fri, 8 Mar 2013 16:44:13 -0600
I posted an email about this on March 6th, but for brevity's sake, I'll just rehash the important stuff: - snort isn't logging anything, but it is running. - it is creating empty files - snort version is 2.9.4 and snort.conf is version 2.9.1.1 - system was installed (snort activated) around mid-Feb.) These is the result from ps -ef: /usr/sbin/snort -c /etc/snort/snort.conf -i red0 -D -l /var/log/snort --create-pidfile --nolock-pidfile --pid-path /var/run/ This the contents of my /var/log/snort directory. As you can see, it's creating files, but they are all empty. -rw-r--r-- 1 root root 0 2013-03-03 00:01 alert -rw-r--r-- 1 root root 20 2013-03-03 00:01 alert.1.gz -rw-r--r-- 1 root root 20 2013-02-24 00:01 alert.2.gz -rw-r--r-- 1 root root 20 2013-02-17 00:01 alert.3.gz -rw-r--r-- 1 root root 20 2013-02-03 00:02 alert.5.gz -rw-r--r-- 1 root root 24 2013-02-10 10:27 snort.log.1360513061 -rw-r--r-- 1 root root 0 2013-02-10 18:29 snort.log.1360542580 -rw-r--r-- 1 root root 0 2013-03-02 14:01 snort.log.1362254506 -rw-r--r-- 1 root root 0 2013-03-02 14:59 snort.log.1362257974 -rw-r--r-- 1 root root 0 2013-03-07 00:03 snort.log.1362636207 These are all the snort files on my system: [root@ipfire snort]# find / -name snort /etc/snort /etc/rc.d/init.d/snort /usr/sbin/snort /usr/lib/snort /var/log/snort /var/ipfire/snort This is the contents of the /etc/snort directory. The files owned by root:root were created by me. -rw-r--r-- 1 root root 152 2013-03-06 18:13 readme.txt drwxr-xr-x 2 nobody nobody 12288 2013-03-06 23:37 rules -rw-r--r-- 1 nobody nobody 19506 2013-03-06 23:57 snort.conf -rw-r--r-- 1 nobody nobody 19506 2013-02-16 11:03 snort.conf.orig -rwxr-xr-x 1 root root 73 2013-03-06 18:38 snort-test.sh -rwxr-xr-x 1 root root 29 2013-03-07 00:01 start.sh -rwxr-xr-x 1 root root 28 2013-03-07 00:02 stop.sh -rw-r--r-- 1 nobody nobody 160606 2013-02-16 11:03 unicode.map -rw-r--r-- 1 root root 104 2013-03-07 00:03 vars Someone asked me in a separate email what my logging/output settings in snort.conf were. I think this is it. If not, let me know. # config logdir: (this line is blank - nothing here) ############################# # Step #6: Configure output plugins # For more information, see Snort Manual, Configuring Snort - Output Modules ################################################### # unified2 # Recommended for most installs # output unified2: filename merged.log, limit 128, nostamp, mpls_event_types, vlan_event_types # Additional configuration for specific types of installs # output alert_unified2: filename snort.alert, limit 128, nostamp # output log_unified2: filename snort.log, limit 128, nostamp # syslog # output alert_syslog: LOG_AUTH LOG_ALERT # pcap # output log_tcpdump: tcpdump.log # database # output database: alert, <db_type>, user=<username> password=<password> test dbname=<name> host=<hostname> # output database: log, <db_type>, user=<username> password=<password> test dbname=<name> host=<hostname> # prelude # output alert_prelude # metadata reference data. do not modify these lines include /etc/snort/rules/classification.config include /etc/snort/rules/reference.config I think I read somewhere else that the variables below should say vars and not ipvars if you are not using IPv6 in your environment, which I am not. # taken from /etc/snort vars #ipvar HOME_NET any # Set up the external network addresses. Leave as "any" in most situations ipvar EXTERNAL_NET any # List of DNS servers on your network #ipvar DNS_SERVERS $HOME_NET # List of SMTP servers on your network ipvar SMTP_SERVERS $HOME_NET # List of web servers on your network ipvar HTTP_SERVERS $HOME_NET # List of sql servers on your network ipvar SQL_SERVERS $HOME_NET # List of telnet servers on your network ipvar TELNET_SERVERS $HOME_NET # List of ssh servers on your network ipvar SSH_SERVERS $HOME_NET # List of ftp servers on your network ipvar FTP_SERVERS $HOME_NET Any help you guys could provide with this would be most appreciated. Thank you. Kevin ------------------------------------------------------------------------------ Symantec Endpoint Protection 12 positioned as A LEADER in The Forrester Wave(TM): Endpoint Security, Q1 2013 and "remains a good choice" in the endpoint security space. For insight on selecting the right partner to tackle endpoint security challenges, access the full report. http://p.sf.net/sfu/symantec-dev2dev _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- no IDS logs from snort Kevin Thomas (Mar 06)
- Re: no IDS logs from snort James Lay (Mar 07)
- Re: no IDS logs from snort Kevin Thomas (Mar 11)
- Re: no IDS logs from snort Kevin Thomas (Mar 08)
- Re: no IDS logs from snort Ray Caparros (Mar 09)
- Re: no IDS logs from snort waldo kitty (Mar 09)
- Re: no IDS logs from snort Kevin Thomas (Mar 08)
- Re: no IDS logs from snort waldo kitty (Mar 11)
- Re: no IDS logs from snort waldo kitty (Mar 11)
- Re: no IDS logs from snort Kevin Thomas (Mar 11)
- Re: no IDS logs from snort Ray Caparros (Mar 11)
- Re: no IDS logs from snort Joel Esler (Mar 11)
- Re: no IDS logs from snort waldo kitty (Mar 11)