Snort mailing list archives

Re: no IDS logs from snort

From: Kevin Thomas <kpt2078 () gmail com>
Date: Fri, 8 Mar 2013 16:44:13 -0600

I posted an email about this on March 6th, but for brevity's sake, I'll just rehash the important stuff:

- snort isn't logging anything, but it is running.  
- it is creating empty files
- snort version is 2.9.4 and snort.conf is version 2.9.1.1
- system was installed (snort activated) around mid-Feb.)

These is the result from ps -ef:

/usr/sbin/snort -c /etc/snort/snort.conf -i red0 -D -l /var/log/snort --create-pidfile --nolock-pidfile --pid-path 
/var/run/

This the contents of my /var/log/snort directory.  As you can see, it's creating files, but they are all empty.

-rw-r--r-- 1 root root  0 2013-03-03 00:01 alert
-rw-r--r-- 1 root root 20 2013-03-03 00:01 alert.1.gz
-rw-r--r-- 1 root root 20 2013-02-24 00:01 alert.2.gz
-rw-r--r-- 1 root root 20 2013-02-17 00:01 alert.3.gz
-rw-r--r-- 1 root root 20 2013-02-03 00:02 alert.5.gz
-rw-r--r-- 1 root root 24 2013-02-10 10:27 snort.log.1360513061
-rw-r--r-- 1 root root  0 2013-02-10 18:29 snort.log.1360542580
-rw-r--r-- 1 root root  0 2013-03-02 14:01 snort.log.1362254506
-rw-r--r-- 1 root root  0 2013-03-02 14:59 snort.log.1362257974
-rw-r--r-- 1 root root  0 2013-03-07 00:03 snort.log.1362636207

These are all the snort files on my system:

[root@ipfire snort]# find / -name snort
/etc/snort
/etc/rc.d/init.d/snort
/usr/sbin/snort
/usr/lib/snort
/var/log/snort
/var/ipfire/snort

This is the contents of the /etc/snort directory.  The files owned by root:root were created by me.

-rw-r--r-- 1 root   root      152 2013-03-06 18:13 readme.txt
drwxr-xr-x 2 nobody nobody  12288 2013-03-06 23:37 rules
-rw-r--r-- 1 nobody nobody  19506 2013-03-06 23:57 snort.conf
-rw-r--r-- 1 nobody nobody  19506 2013-02-16 11:03 snort.conf.orig
-rwxr-xr-x 1 root   root       73 2013-03-06 18:38 snort-test.sh
-rwxr-xr-x 1 root   root       29 2013-03-07 00:01 start.sh
-rwxr-xr-x 1 root   root       28 2013-03-07 00:02 stop.sh
-rw-r--r-- 1 nobody nobody 160606 2013-02-16 11:03 unicode.map
-rw-r--r-- 1 root   root      104 2013-03-07 00:03 vars

Someone asked me in a separate email what my logging/output settings in snort.conf were.  I think this is it.  If not, 
let me know.


# config logdir:
(this line is blank - nothing here)

#############################

# Step #6: Configure output plugins
# For more information, see Snort Manual, Configuring Snort - Output Modules
###################################################

# unified2 
# Recommended for most installs
# output unified2: filename merged.log, limit 128, nostamp, mpls_event_types, vlan_event_types

# Additional configuration for specific types of installs
# output alert_unified2: filename snort.alert, limit 128, nostamp
# output log_unified2: filename snort.log, limit 128, nostamp 

# syslog
# output alert_syslog: LOG_AUTH LOG_ALERT

# pcap
# output log_tcpdump: tcpdump.log

# database
# output database: alert, <db_type>, user=<username> password=<password> test dbname=<name> host=<hostname>
# output database: log, <db_type>, user=<username> password=<password> test dbname=<name> host=<hostname>

# prelude
# output alert_prelude

# metadata reference data.  do not modify these lines
include /etc/snort/rules/classification.config
include /etc/snort/rules/reference.config

I think I read somewhere else that the variables below should say vars and not ipvars if you are not using IPv6 in your 
environment, which I am not.

# taken from /etc/snort vars
#ipvar HOME_NET any

# Set up the external network addresses. Leave as "any" in most situations
ipvar EXTERNAL_NET any

# List of DNS servers on your network 
#ipvar DNS_SERVERS $HOME_NET

# List of SMTP servers on your network
ipvar SMTP_SERVERS $HOME_NET

# List of web servers on your network
ipvar HTTP_SERVERS $HOME_NET

# List of sql servers on your network 
ipvar SQL_SERVERS $HOME_NET

# List of telnet servers on your network
ipvar TELNET_SERVERS $HOME_NET

# List of ssh servers on your network
ipvar SSH_SERVERS $HOME_NET

# List of ftp servers on your network
ipvar FTP_SERVERS $HOME_NET

Any help you guys could provide with this would be most appreciated.  Thank you.

Kevin





------------------------------------------------------------------------------
Symantec Endpoint Protection 12 positioned as A LEADER in The Forrester  
Wave(TM): Endpoint Security, Q1 2013 and "remains a good choice" in the  
endpoint security space. For insight on selecting the right partner to 
tackle endpoint security challenges, access the full report. 
http://p.sf.net/sfu/symantec-dev2dev
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

no IDS logs from snort Kevin Thomas (Mar 06)
- Re: no IDS logs from snort James Lay (Mar 07)
- Re: no IDS logs from snort Kevin Thomas (Mar 11)
  - Re: no IDS logs from snort Kevin Thomas (Mar 08)
    - Re: no IDS logs from snort Ray Caparros (Mar 09)
    - Re: no IDS logs from snort waldo kitty (Mar 09)
  - Re: no IDS logs from snort waldo kitty (Mar 11)
    - Re: no IDS logs from snort waldo kitty (Mar 11)
    - Re: no IDS logs from snort Kevin Thomas (Mar 11)
    - Re: no IDS logs from snort Ray Caparros (Mar 11)
    - Re: no IDS logs from snort Joel Esler (Mar 11)
    - Re: no IDS logs from snort waldo kitty (Mar 11)