Re: Fw: [Snort-users] snort not reporting

Allan,

I experienced the same problem when I first tried snort (with rules),
but my project only focused on binary logging so I did not get the
opportunity to fix it. That may be a good idea - try out the binary
logging (I think there is a '-A' option then) and make sure that the
traffic is logged to a binary file. You can then inspect the traffic
with tools like 'ethereal', 'etherape' and 'tcpdump'. At least you can
narrow down the problem area in this way.

I also recently read the frequently asked questions at
http://www.snort.org/docs/FAQ.txt Also check for relevant documentation
at http://www.snort.org/docs/ (there is good documentation on the ids
related aspects)

Maybe you can help me. I do not know how to reply to your message on the
mailing list other than to reply to you directly. Should I cc the
mailing list as I did?

Thanks
Ben van der Merwe

On Mon, 2004-12-13 at 18:12, Allan Jensen wrote:
> Rules are in the right place. No alerts because of
> good traffic sounds "to good" to be true. I also tried
> running snort while letting
> http://scan.sygatetech.com/ scan my computer leaving
> the firewall open.
>
> Is there any way (test) to get snort to react?
>
> Allan Jensen
>
> --- Ben van der Merwe <benm@pasco.co.za> wrote:
>
> > The other thing to check is that your rules are
> > located in the appropriate directory (as specified
> > in the configuration file).
> > It is also possible that there are no alerts
> > (because there is little traffic) or that the
> > traffic is 'good' and does not trigger any alerts.
> > ben
> >
> > ----- Original Message -----
> > From: Ben van der Merwe
> > To: Allan Jensen
> > Sent: Monday, December 13, 2004 12:50 PM
> > Subject: Re: [Snort-users] snort not reporting
> >
> >
> > Allan, I suppose you have checked in
> > /var/log/snort/ppp0 for any results.
> > Normally snort displays an error message and exits
> > if something is wrong.
> > If you do a 'pgrep snort' and snort is running it
> > must be something else.
> > ben
> > ----- Original Message -----
> > From: Allan Jensen
> > To: snort-users@lists.sourceforge.net
> > Sent: Monday, December 13, 2004 11:49 AM
> > Subject: [Snort-users] snort not reporting
> >
> >
> > I installed snort 2.2.0 on Mac OS X 10.3.6
> > together with ACID 0.9.6b23. Everything went fine.
> > When I start snort:
> >
> > sudo snort -dvi -c /etc/snort/snort.conf
> >
> > I get the following:
> >
> > Running in IDS mode
> > Log directory = /var/log/snort
> >
> > Initializing Network Interface ppp0
> >
> > --== Initializing Snort ==--
> > Initializing Output Plugins!
> > Decoding PPP on interface ppp0
> > Initializing Preprocessors!
> > Initializing Plug-ins!
> > Parsing Rules file /etc/snort/snort.conf
> >
> >
> > ++++++++++++++++++++++++++++++++++++++++++++++++++ +
> > Initializing rule chains...
> > ,-----------[Flow Config]----------------------
> > | Stats Interval: 0
> > | Hash Method: 2
> > | Memcap: 10485760
> > | Rows : 4099
> > | Overhead Bytes: 16400(%0.16)
> > `----------------------------------------------
> > No arguments to frag2 directive, setting defaults
> > to:
> > Fragment timeout: 60 seconds
> > Fragment memory cap: 4194304 bytes
> > Fragment min_ttl: 0
> > Fragment ttl_limit: 5
> > Fragment Problems: 0
> > Self preservation threshold: 500
> > Self preservation period: 90
> > Suspend threshold: 1000
> > Suspend period: 30
> > Stream4 config:
> > Stateful inspection: ACTIVE
> > Session statistics: INACTIVE
> > Session timeout: 30 seconds
> > Session memory cap: 8388608 bytes
> > State alerts: INACTIVE
> > Evasion alerts: INACTIVE
> > Scan alerts: INACTIVE
> > Log Flushed Streams: INACTIVE
> > MinTTL: 1
> > TTL Limit: 5
> > Async Link: 0
> > State Protection: 0
> > Self preservation threshold: 50
> > Self preservation period: 90
> > Suspend threshold: 200
> > Suspend period: 30
> > Stream4_reassemble config:
> > Server reassembly: INACTIVE
> > Client reassembly: ACTIVE
> > Reassembler alerts: ACTIVE
> > Zero out flushed packets: INACTIVE
> > flush_data_diff_size: 500
> > Ports: 21 23 25 53 80 110 111 143 513 1433
> > Emergency Ports: 21 23 25 53 80 110 111 143 513
> > 1433
> > HttpInspect Config:
> > GLOBAL CONFIG
> > Max Pipeline Requests: 0
> > Inspection Type: STATELESS
> > Detect Proxy Usage: NO
> > IIS Unicode Map Filename: /etc/snort/unicode.map
> > IIS Unicode Map Codepage: 1252
> > DEFAULT SERVER CONFIG:
> > Ports: 80 8080 8180
> > Flow Depth: 300
> > Max Chunk Length: 500000
> > Inspect Pipeline Requests: YES
> > URI Discovery Strict Mode: NO
> > Allow Proxy Usage: NO
> > Disable Alerting: NO
> > Oversize Dir Length: 500
> > Only inspect URI: NO
> > Ascii: YES alert: NO
> > Double Decoding: YES alert: YES
> > %U Encoding: YES alert: YES
> > Bare Byte: YES alert: YES
> > Base36: OFF
> > UTF 8: OFF
> > IIS Unicode: YES alert: YES
> > Multiple Slash: YES alert: NO
> > IIS Backslash: YES alert: NO
> > Directory Traversal: YES alert: NO
> > Web Root Traversal: YES alert: YES
> > Apache WhiteSpace: YES alert: YES
> > IIS Delimiter: YES alert: YES
> > IIS Unicode Map: GLOBAL IIS UNICODE MAP CONFIG
> > Non-RFC Compliant Characters: NONE
> > rpc_decode arguments:
> > Ports to decode RPC on: 111 32771
> > alert_fragments: INACTIVE
> > alert_large_fragments: ACTIVE
> > alert_incomplete: ACTIVE
> > alert_multiple_requests: ACTIVE
> > telnet_decode arguments:
> > Ports to decode telnet on: 21 23 25 119
> > database: compiled support for ( mysql )
> > database: configured to use mysql
> > database: user = root
> > database: password is set
> > database: database name = snort
> > database: host = localhost
> > Node unique name is: 80.134.161.187
> > database: sensor name = 80.134.161.187
> > database: sensor id = 6
> > database: schema version = 106
> > database: using the "alert" facility
> > 2180 Snort rules read...
> > 2180 Option Chains linked into 176 Chain Headers
> > 0 Dynamic rules
> >
> > ++++++++++++++++++++++++++++++++++++++++++++++++++ +
> >
> > Warning: flowbits key 'realplayer.playlist' is
> > checked but not ever set.
> >
> >
> >
> +-----------------------[thresholding-config]----------------------------------
> > | memory-cap : 1048576 bytes
> >
> >
> +-----------------------[thresholding-global]----------------------------------
> > | none
> >
> >
> +-----------------------[thresholding-local]-----------------------------------
> > | gen-id=1 sig-id=2275 type=Threshold tracking=dst
> > count=5 seconds=60
> > | gen-id=1 sig-id=2924 type=Threshold tracking=src
> > count=10 seconds=60
> > | gen-id=1 sig-id=2923 type=Threshold tracking=src
> > count=10 seconds=60
> > | gen-id=1 sig-id=2523 type=Both tracking=dst
> > count=10 seconds=10
> > | gen-id=1 sig-id=2496 type=Both tracking=dst
> > count=20 seconds=60
> > | gen-id=1 sig-id=2494 type=Both tracking=dst
> > count=20 seconds=60
> > | gen-id=1 sig-id=2495 type=Both tracking=dst
> > count=20 seconds=60
> >
> >
> +-----------------------[suppression]------------------------------------------
> >
> >
> -------------------------------------------------------------------------------
> > Rule application order:
> > ->activation->dynamic->alert->pass->log
> >
> > --== Initialization Complete ==--
> >
> > -*> Snort! <*-
> > Version 2.2.0 (Build 30)
> > By Martin Roesch (roesch@sourcefire.com,
> > www.snort.org)
> >
> > However after a while when I control-c :
> >
> > ^C
> >
> >
> >
> ================================================== =============================
> >
> > Snort received 8244 packets
> > Analyzed: 8244(100.000%)
> > Dropped: 0(0.000%)
> >
> >
> ================================================== =============================
> > Breakdown by protocol:
> > TCP: 0 (0.000%)
> > UDP: 0 (0.000%)
> > ICMP: 0 (0.000%)
> > ARP: 0 (0.000%)
> > EAPOL: 0 (0.000%)
> > IPv6: 0 (0.000%)
> > IPX: 0 (0.000%)
> > OTHER: 0 (0.000%)
> > DISCARD: 0 (0.000%)
> >
> >
> ================================================== =============================
> > Action Stats:
> > ALERTS: 0
> > LOGGED: 0
> > PASSED: 0
> >
> >
> ================================================== =============================
> > Final Flow Statistics
> > ,----[ FLOWCACHE STATS ]----------
> > Memcap: 10485760 Overhead Bytes 16400
> > used(%0.156403)/blocks (16400/1) Overhead blocks: 1
> > Could Hold: (0)
> > IPV4 count: 0 frees: 0 low_time: 0, high_time: 0,
> > diff: 0h:00:00s
> > finds: 0 reversed: 0(%0.000000)
> > find_sucess: 0 find_fail: 0 percent_success:
> > (%0.000000) new_flows: 0
> > database: Closing connection to database "p"
> > Snort exiting
> >
> > Nothing gets reported. I have configured
> > snort.conf like this:
> >
> > var HOME_NET any
> > and
> > var EXTERNAL_NET any
> > and
> > output database: alert, mysql, user=root
> > password=<mypassword> dbname=snort host=localhost
> >
> > Can anyone help?
> >
> > Thanks,
> > Allan
>
>
>
> __________________________________
> Do you Yahoo!?
> Send a seasonal email greeting and help others. Do good.
> http://celebrity.mail.yahoo.com



-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://productguide.itmanagersjournal.com/
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/...fo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.p...st=snort-users