Snort mailing list archives
Re: snort suddenly stopped to record events
From: linux () vfemail net
Date: Tue, 23 Jul 2013 03:02:44 -0500
Hi Waldo,Thanks for help :-). Tried provided debug rules and snort is working and logging events but only for UDP!!!
Seems that something is missconfigured in my snort.conf file or some existent rules is blocking snort to log and alert. I am attaching here my snort.conf file, maybe you can identify what is wrong or you have a suggestion.
Commencing packet processing (pid=12487)
*** Caught Int-Signal
===============================================================================
Run time for packet processing was 129.124889 seconds
Snort processed 310 packets.
Snort ran for 0 days 0 hours 2 minutes 9 seconds
Pkts/min: 155
Pkts/sec: 2
===============================================================================
Packet I/O Totals:
Received: 310
Analyzed: 310 (100.000%)
Dropped: 0 ( 0.000%)
Filtered: 0 ( 0.000%)
Outstanding: 0 ( 0.000%)
Injected: 0
===============================================================================
Breakdown by protocol (includes rebuilt packets):
Eth: 310 (100.000%)
VLAN: 0 ( 0.000%)
IP4: 230 ( 74.194%)
Frag: 0 ( 0.000%)
ICMP: 0 ( 0.000%)
UDP: 230 ( 74.194%)
TCP: 0 ( 0.000%)
IP6: 0 ( 0.000%)
IP6 Ext: 0 ( 0.000%)
IP6 Opts: 0 ( 0.000%)
Frag6: 0 ( 0.000%)
ICMP6: 0 ( 0.000%)
UDP6: 0 ( 0.000%)
TCP6: 0 ( 0.000%)
Teredo: 0 ( 0.000%)
ICMP-IP: 0 ( 0.000%)
EAPOL: 0 ( 0.000%)
IP4/IP4: 0 ( 0.000%)
IP4/IP6: 0 ( 0.000%)
IP6/IP4: 0 ( 0.000%)
IP6/IP6: 0 ( 0.000%)
GRE: 0 ( 0.000%)
GRE Eth: 0 ( 0.000%)
GRE VLAN: 0 ( 0.000%)
GRE IP4: 0 ( 0.000%)
GRE IP6: 0 ( 0.000%)
GRE IP6 Ext: 0 ( 0.000%)
GRE PPTP: 0 ( 0.000%)
GRE ARP: 0 ( 0.000%)
GRE IPX: 0 ( 0.000%)
GRE Loop: 0 ( 0.000%)
MPLS: 0 ( 0.000%)
ARP: 60 ( 19.355%)
IPX: 4 ( 1.290%)
Eth Loop: 0 ( 0.000%)
Eth Disc: 0 ( 0.000%)
IP4 Disc: 0 ( 0.000%)
IP6 Disc: 0 ( 0.000%)
TCP Disc: 0 ( 0.000%)
UDP Disc: 0 ( 0.000%)
ICMP Disc: 0 ( 0.000%)
All Discard: 0 ( 0.000%)
Other: 16 ( 5.161%)
Bad Chk Sum: 0 ( 0.000%)
Bad TTL: 0 ( 0.000%)
S5 G 1: 0 ( 0.000%)
S5 G 2: 0 ( 0.000%)
Total: 310
===============================================================================
Action Stats:
Alerts: 582 (187.742%)
Logged: 582 (187.742%)
Passed: 0 ( 0.000%)
Limits:
Match: 0
Queue: 0
Log: 184
Event: 0
Alert: 0
Verdicts:
Allow: 310 (100.000%)
Block: 0 ( 0.000%)
Replace: 0 ( 0.000%)
Whitelist: 0 ( 0.000%)
Blacklist: 0 ( 0.000%)
Ignore: 0 ( 0.000%)
===============================================================================
Frag3 statistics:
Total Fragments: 0
Frags Reassembled: 0
Discards: 0
Memory Faults: 0
Timeouts: 0
Overlaps: 0
Anomalies: 0
Alerts: 0
Drops: 0
FragTrackers Added: 0
FragTrackers Dumped: 0
FragTrackers Auto Freed: 0
Frag Nodes Inserted: 0
Frag Nodes Deleted: 0
===============================================================================
Stream5 statistics:
Total sessions: 7
TCP sessions: 0
UDP sessions: 7
ICMP sessions: 0
IP sessions: 0
TCP Prunes: 0
UDP Prunes: 0
ICMP Prunes: 0
IP Prunes: 0
TCP StreamTrackers Created: 0
TCP StreamTrackers Deleted: 0
TCP Timeouts: 0
TCP Overlaps: 0
TCP Segments Queued: 0
TCP Segments Released: 0
TCP Rebuilt Packets: 0
TCP Segments Used: 0
TCP Discards: 0
TCP Gaps: 0
UDP Sessions Created: 7
UDP Sessions Deleted: 7
UDP Timeouts: 0
UDP Discards: 0
Events: 0
Internal Events: 0
TCP Port Filter
Dropped: 0
Inspected: 0
Tracked: 0
UDP Port Filter
Dropped: 0
Inspected: 59
Tracked: 7
===============================================================================
===============================================================================
SMTP Preprocessor Statistics
Total sessions : 0
Max concurrent sessions : 0
===============================================================================
dcerpc2 Preprocessor Statistics
Total sessions: 0
===============================================================================
===============================================================================
SIP Preprocessor Statistics
Total sessions: 0
===============================================================================
Reputation Preprocessor Statistics
Total Memory Allocated: 0
===============================================================================
Snort exiting
[root@ids rules]#
See below few alert lines produced now in /var/log/messages
[root@ids ~]# tail -f /var/log/messages|grep snort
Jul 23 10:42:49 ids snort[12700]: [1:4:1] ip traffic outbound
[Classification: Unknown Traffic] [Priority: 3] <eth4> {UDP}
192.168.51.61:45087 -> 192.168.51.255:19009
Jul 23 10:42:49 ids snort[12700]: [1:6:1] udp traffic outbound
[Classification: Misc activity] [Priority: 3] <eth4> {UDP}
192.168.51.26:138 -> 192.168.51.255:138
Jul 23 10:42:49 ids snort[12700]: [1:5:1] udp traffic inbound
[Classification: Misc activity] [Priority: 3] <eth4> {UDP}
192.168.51.26:138 -> 192.168.51.255:138
Jul 23 10:42:49 ids snort[12700]: [1:4:1] ip traffic outbound
[Classification: Unknown Traffic] [Priority: 3] <eth4> {UDP}
192.168.51.26:138 -> 192.168.51.255:138
Jul 23 10:42:50 ids snort[12578]: [1:6:1] Snort Alert [1:6:0]
[Classification: Misc activity] [Priority: 3]: <eth4> {UDP}
192.168.51.61:45087 -> 192.168.51.255:19009
Jul 23 10:42:50 ids snort[12578]: [1:5:1] Snort Alert [1:5:0]
[Classification: Misc activity] [Priority: 3]: <eth4> {UDP}
192.168.51.61:45087 -> 192.168.51.255:19009
Jul 23 10:42:50 ids snort[12578]: [1:4:1] Snort Alert [1:4:0]
[Classification: Unknown Traffic] [Priority: 3]: <eth4> {UDP}
192.168.51.61:45087 -> 192.168.51.255:19009
Jul 23 10:42:50 ids snort[12578]: [1:6:1] Snort Alert [1:6:0]
[Classification: Misc activity] [Priority: 3]: <eth4> {UDP}
192.168.51.26:138 -> 192.168.51.255:138
Jul 23 10:42:50 ids snort[12578]: [1:5:1] Snort Alert [1:5:0]
[Classification: Misc activity] [Priority: 3]: <eth4> {UDP}
192.168.51.26:138 -> 192.168.51.255:138
Jul 23 10:42:50 ids snort[12578]: [1:4:1] Snort Alert [1:4:0]
[Classification: Unknown Traffic] [Priority: 3]: <eth4> {UDP}
192.168.51.26:138 -> 192.168.51.255:138
Jul 23 10:42:50 ids snort[12700]: [1:6:1] udp traffic outbound
[Classification: Misc activity] [Priority: 3] <eth4> {UDP}
192.168.51.61:45087 -> 192.168.51.255:19009
Jul 23 10:42:50 ids snort[12700]: [1:5:1] udp traffic inbound
[Classification: Misc activity] [Priority: 3] <eth4> {UDP}
192.168.51.61:45087 -> 192.168.51.255:19009
Jul 23 10:42:50 ids snort[12700]: [1:4:1] ip traffic outbound
[Classification: Unknown Traffic] [Priority: 3] <eth4> {UDP}
192.168.51.61:45087 -> 192.168.51.255:19009
Jul 23 10:42:51 ids snort[12578]: [1:6:1] Snort Alert [1:6:0]
[Classification: Misc activity] [Priority: 3]: <eth4> {UDP}
192.168.51.61:45087 -> 192.168.51.255:19009
Jul 23 10:42:51 ids snort[12578]: [1:5:1] Snort Alert [1:5:0]
[Classification: Misc activity] [Priority: 3]: <eth4> {UDP}
192.168.51.61:45087 -> 192.168.51.255:19009
Jul 23 10:42:51 ids snort[12578]: [1:4:1] Snort Alert [1:4:0]
[Classification: Unknown Traffic] [Priority: 3]: <eth4> {UDP}
192.168.51.61:45087 -> 192.168.51.255:19009
Jul 23 10:42:51 ids snort[12700]: [1:6:1] udp traffic outbound
[Classification: Misc activity] [Priority: 3] <eth4> {UDP}
192.168.51.61:45087 -> 192.168.51.255:19009
Jul 23 10:42:51 ids snort[12700]: [1:5:1] udp traffic inbound
[Classification: Misc activity] [Priority: 3] <eth4> {UDP}
192.168.51.61:45087 -> 192.168.51.255:19009
Jul 23 10:42:51 ids snort[12700]: [1:4:1] ip traffic outbound
[Classification: Unknown Traffic] [Priority: 3] <eth4> {UDP}
192.168.51.61:45087 -> 192.168.51.255:19009
Jul 23 10:42:52 ids snort[12578]: [1:6:1] Snort Alert [1:6:0]
[Classification: Misc activity] [Priority: 3]: <eth4> {UDP}
192.168.51.61:45087 -> 192.168.51.255:19009
Jul 23 10:42:52 ids snort[12578]: [1:5:1] Snort Alert [1:5:0]
[Classification: Misc activity] [Priority: 3]: <eth4> {UDP}
192.168.51.61:45087 -> 192.168.51.255:19009
Jul 23 10:42:52 ids snort[12578]: [1:4:1] Snort Alert [1:4:0]
[Classification: Unknown Traffic] [Priority: 3]: <eth4> {UDP}
192.168.51.61:45087 -> 192.168.51.255:19009
Jul 23 10:42:52 ids snort[12700]: [1:6:1] udp traffic outbound
[Classification: Misc activity] [Priority: 3] <eth4> {UDP}
192.168.51.61:45087 -> 192.168.51.255:19009
Jul 23 10:42:52 ids snort[12700]: [1:5:1] udp traffic inbound
[Classification: Misc activity] [Priority: 3] <eth4> {UDP}
192.168.51.61:45087 -> 192.168.51.255:19009
Jul 23 10:42:52 ids snort[12700]: [1:4:1] ip traffic outbound
[Classification: Unknown Traffic] [Priority: 3] <eth4> {UDP}
192.168.51.61:45087 -> 192.168.51.255:19009
Jul 23 10:42:53 ids snort[12578]: [1:6:1] Snort Alert [1:6:0]
[Classification: Misc activity] [Priority: 3]: <eth4> {UDP}
192.168.51.61:45087 -> 192.168.51.255:19009
Jul 23 10:42:53 ids snort[12578]: [1:5:1] Snort Alert [1:5:0]
[Classification: Misc activity] [Priority: 3]: <eth4> {UDP}
192.168.51.61:45087 -> 192.168.51.255:19009
Jul 23 10:42:53 ids snort[12578]: [1:4:1] Snort Alert [1:4:0]
[Classification: Unknown Traffic] [Priority: 3]: <eth4> {UDP}
192.168.51.61:45087 -> 192.168.51.255:19009
What can be wrong in my snort.conf? Can you take a look please? Thanks in advance. Alx Quoting "waldo kitty" <wkitty42 () windstream net>:
On 7/22/2013 11:59, linux () vfemail net wrote:Please, help me to debug ... I am lost ... Could be some new updates receivedusing pulledpork?unlikely...Some misconfigured rules received using pulledpork?unlikely...Why snort is not logging?you mean like alerting on any traffic? sure... we use the following rules in a file named local-test.rules... just like local.rules, put it in place with the proper permissions, add it to your snort.conf and restart snort... only let it run a minute because it can generate thousands of alerts per second depending onyour traffic and your machine's capabilities... then edit your snort.conf tocomment it out or remove it and restart your snort... then you can look at your alert and log files to see if traffic was recorded... if it was, then things areworking properly... if it was not, then we have to look deeper... ----- snip ----- ## The rules in this file are only to test a snort installation to see if it is # seeing any traffic at all. These rules should NOT be used all the time. Once # tested and working, this rule file should be commented out in your snort.conf# so that it is not used. # #------------------ # LOCAL TEST RULES #------------------ alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"tcp traffic inbound"; classtype:tcp-connection; sid:1; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"tcp traffic outbound"; classtype:tcp-connection; sid:2; rev:1;) alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ip traffic inbound"; classtype:unknown; sid:3; rev:1;) alert ip $HOME_NET any -> $EXTERNAL_NET any (msg:"ip traffic outbound"; classtype:unknown; sid:4; rev:1;) alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"udp traffic inbound"; classtype:misc-activity; sid:5; rev:1;) alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"udp traffic outbound"; classtype:misc-activity; sid:6; rev:1;) alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"icmp traffic inbound"; classtype:icmp-event; sid:7; rev:1;) alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"icmp traffic outbound"; classtype:icmp-event; sid:8; rev:1;) ----- snip ----- -- NOTE: No off-list assistance is given without prior approval. Please keep mailing list traffic on the list unless private contact is specifically requested and granted. ------------------------------------------------------------------------------ See everything from the browser to the database with AppDynamics Get end-to-end visibility with application monitoring from AppDynamics Isolate bottlenecks and diagnose root cause in seconds. Start your free trial of AppDynamics Pro today! http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-usersPlease visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------- VFEmail.net - http://www.vfemail.net$14.95 ONETIME Lifetime accounts with Privacy Features!
15GB disk! No bandwidth quotas!Commercial and Bulk Mail Options!
Attachment:
snort.conf.txt
Description:
------------------------------------------------------------------------------ See everything from the browser to the database with AppDynamics Get end-to-end visibility with application monitoring from AppDynamics Isolate bottlenecks and diagnose root cause in seconds. Start your free trial of AppDynamics Pro today! http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- snort suddenly stopped to record events linux (Jul 22)
- Re: snort suddenly stopped to record events waldo kitty (Jul 22)
- Re: snort suddenly stopped to record events linux (Jul 23)
- Re: snort suddenly stopped to record events waldo kitty (Jul 23)
- Re: snort suddenly stopped to record events Alex (Jul 24)
- Re: snort suddenly stopped to record events Peter Bates (Jul 24)
- Re: snort suddenly stopped to record events waldo kitty (Jul 24)
- Re: snort suddenly stopped to record events Alex (Jul 26)
- Re: snort suddenly stopped to record events waldo kitty (Jul 26)
- Re: snort suddenly stopped to record events Alex (Jul 29)
- Re: snort suddenly stopped to record events linux (Jul 23)
- Re: snort suddenly stopped to record events waldo kitty (Jul 22)