Linux - NewbieThis Linux forum is for members that are new to Linux.
Just starting out and have a question?
If it is not in the man pages or the how-to's this is the place!
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Thanks.
The results of the diff comparison are ('snort.conf.old' being the original):
Code:
fred@fred-HP-Compaq-nc6220-PU982ET-ABU /etc/snort $ sudo diff -urN snort.conf.old snort.conf
--- snort.conf.old 2014-10-20 01:38:32.893683242 +0100
+++ snort.conf 2014-10-20 23:02:18.250749169 +0100
@@ -85,7 +85,7 @@
portvar HTTP_PORTS [36,80,81,82,83,84,85,86,87,88,89,90,311,383,555,591,593,631,801,808,818,901,972,1158,1220,1414,1533,1741,1830,2231,2301,2381,2809,3029,3037,3057,3128,3443,3702,4000,4343,4848,5117,5250,6080,6173,6988,7000,7001,7144,7145,7510,7770,7777,7779,8000,8008,8014,8028,8080,8081,8082,8085,8088,8090,8118,8123,8180,8181,8222,8243,8280,8300,8500,8509,8800,8888,8899,9000,9060,9080,9090,9091,9111,9443,9999,10000,11371,12601,15489,29991,33300,34412,34443,34444,41080,44449,50000,50002,51423,53331,55252,55555,56712]
# List of ports you want to look for SHELLCODE on.
-portvar SHELLCODE_PORTS !80
+portvar SHELLCODE_PORTS 80
# List of ports you might see oracle attacks on
portvar ORACLE_PORTS 1024:
@@ -120,8 +120,8 @@
# not relative to snort.conf like the above variables
# This is completely inconsistent with how other vars work, BUG 89986
# Set the absolute path appropriately
-var WHITE_LIST_PATH /etc/snort/rules
-var BLACK_LIST_PATH /etc/snort/rules
+#var WHITE_LIST_PATH /etc/snort/rules
+#var BLACK_LIST_PATH /etc/snort/rules
###################################################
# Step #2: Configure the decoder. For more information, see README.decode
@@ -146,10 +146,10 @@
config disable_ipopt_alerts
# Alert if value in length field (IP, TCP, UDP) is greater th elength of the packet
-# config enable_decode_oversized_alerts
+config enable_decode_oversized_alerts
# Same as above, but drop packet if in Inline mode (requires enable_decode_oversized_alerts)
-# config enable_decode_oversized_drops
+config enable_decode_oversized_drops
# Configure IP / TCP checksum mode
config checksum_mode: all
@@ -193,7 +193,7 @@
# Configure default log directory for snort to log to. For more information see snort -h command line options (-l)
#
-# config logdir:
+config logdir:/var/log/snort
###################################################
@@ -530,13 +530,13 @@
# For more information, see Snort Manual, Configuring Snort - Output Modules
###################################################
-# unified2
+#unified2
# Recommended for most installs
# output unified2: filename merged.log, limit 128, nostamp, mpls_event_types, vlan_event_types
output unified2: filename snort.log, limit 128, nostamp, mpls_event_types, vlan_event_types
# Additional configuration for specific types of installs
-# output alert_unified2: filename snort.alert, limit 128, nostamp
+output alert_unified2: filename snort.alert, limit 128, nostamp
# output log_unified2: filename snort.log, limit 128, nostamp
# syslog
@@ -584,7 +584,7 @@
#include $RULE_PATH/browser-webkit.rules
include $RULE_PATH/chat.rules
#include $RULE_PATH/content-replace.rules
-include $RULE_PATH/ddos.rules
+#include $RULE_PATH/ddos.rules
include $RULE_PATH/dns.rules
include $RULE_PATH/dos.rules
include $RULE_PATH/experimental.rules
I think I made mess of the logs; what I wanted was to use was var/log/snort/log and alert rather than Barnyard, etc
I can send the original snort.conf if needed, thought there might not be space here.
Take the point about the T test, being bit dozy. Not sure about the warnings, though.
what I wanted was to use was var/log/snort/log and alert rather than Barnyard, etc
There are a few possibilities: none, binary logging (unified), tcpdump packet log, database, syslog and ascii alert log and it may not be clear from reading 'man snort' but just setting the log directory name is not enough. The diff shows you have correctly set the log directory name but you also enabled binary (unified) logging. See 'man snort' for "-A".
Quote:
Originally Posted by Fred Caro
Not sure about the warnings, though.
I don't feel like going over each and every flowbit and other warning but as far as I can see those can be ignored. If running the test succeeds then you should be good to go. BTW you haven't confirmed if you are now able to run Snort in daemon mode and test that's the case. Please do so.
Hashed out the 'unified2' option but left all else alone, gave me this:
pcap DAQ configured to passive.
Acquiring network traffic from "-A".
ERROR: Can't set DAQ BPF filter to 'alert-mode full eth1' (pcap_daq_set_filter: pcap_compile: syntax error)!
That line (please post errors and the actual command causing it) suggests Snort didn't find its ethernet device because you supplied the switches in the wrong order. Should have looked something like this:
Please don't grep for stuff unnecessarily: the output of 'sudo pgrep -lf snort' would do.
Also please check syslog / its own log after you've started it.
Thanks for reply.
Not sure what "syslog /" means but tried the following with attendent results:
Code:
fred@fred-HP-Compaq-nc6220-PU982ET-ABU /var/log $ tail -f syslog
Oct 31 00:36:11 fred-HP-Compaq-nc6220-PU982ET-ABU rsyslogd: [origin software="rsyslogd" swVersion="7.4.4" x-pid="446" x-info="http://www.rsyslog.com"] rsyslogd was HUPed
Oct 31 00:36:44 fred-HP-Compaq-nc6220-PU982ET-ABU anacron[1210]: Job `cron.daily' terminated (exit status: 1) (mailing output)
Oct 31 00:36:44 fred-HP-Compaq-nc6220-PU982ET-ABU postfix/sendmail[2858]: fatal: open /etc/postfix/main.cf: No such file or directory
Oct 31 00:36:44 fred-HP-Compaq-nc6220-PU982ET-ABU anacron[1210]: Tried to mail output of job `cron.daily', but mailer process (/usr/sbin/sendmail) exited with ststus 75
Oct 31 00:41:07 fred-HP-Compaq-nc6220-PU982ET-ABU anacron[1210]: Job `cron.weekly' started
Oct 31 00:41:07 fred-HP-Compaq-nc6220-PU982ET-ABU anacron[2921]: Updated timestamp for job `cron.weekly' to 2014-10-31
^C
fred@fred-HP-Compaq-nc6220-PU982ET-ABU /var/log $ cd snort
fred@fred-HP-Compaq-nc6220-PU982ET-ABU /var/log/snort $ ls
alert alert.1.gz snort.log snort.log.1414262738
fred@fred-HP-Compaq-nc6220-PU982ET-ABU /var/log/snort $ less snort.log
"snort.log" may be a binary file. See it anyway?
fred@fred-HP-Compaq-nc6220-PU982ET-ABU /var/log/snort $ sudo tail -f syslog
tail: cannot open ‘syslog’ for reading: No such file or directory
fred@fred-HP-Compaq-nc6220-PU982ET-ABU /var/log/snort $ tail -f syslog
tail: cannot open ‘syslog’ for reading: No such file or directory
fred@fred-HP-Compaq-nc6220-PU982ET-ABU /var/log/snort $ cd ..
fred@fred-HP-Compaq-nc6220-PU982ET-ABU /var/log $ tail -f syslog
Oct 31 00:36:11 fred-HP-Compaq-nc6220-PU982ET-ABU rsyslogd: [origin software="rsyslogd" swVersion="7.4.4" x-pid="446" x-info="http://www.rsyslog.com"] rsyslogd was HUPed
Oct 31 00:36:44 fred-HP-Compaq-nc6220-PU982ET-ABU anacron[1210]: Job `cron.daily' terminated (exit status: 1) (mailing output)
Oct 31 00:36:44 fred-HP-Compaq-nc6220-PU982ET-ABU postfix/sendmail[2858]: fatal: open /etc/postfix/main.cf: No such file or directory
Oct 31 00:36:44 fred-HP-Compaq-nc6220-PU982ET-ABU anacron[1210]: Tried to mail output of job `cron.daily', but mailer process (/usr/sbin/sendmail) exited with ststus 75
Oct 31 00:41:07 fred-HP-Compaq-nc6220-PU982ET-ABU anacron[1210]: Job `cron.weekly' started
Oct 31 00:41:07 fred-HP-Compaq-nc6220-PU982ET-ABU anacron[2921]: Updated timestamp for job `cron.weekly' to 2014-10-31
Oct 31 00:43:05 fred-HP-Compaq-nc6220-PU982ET-ABU anacron[1210]: Job `cron.weekly' terminated
Oct 31 00:43:05 fred-HP-Compaq-nc6220-PU982ET-ABU anacron[1210]: Normal exit (2 jobs run)
^C
It seems there are more problems than just snort but the existance of 'alert.1.gz' suggests snort is recording something from somewhere.
Using 'tail' results in displaying entries that appear now in the log file (or starting at any amount lines earlier with the "-n" switch). Ergo if you have (re)started snort earlier on you will not find those entries. You can find those entries with
Code:
grep -i snort /var/log/syslog
Quote:
Originally Posted by Fred Caro
Code:
fred@fred-HP-Compaq-nc6220-PU982ET-ABU /var/log/snort $ ls
alert alert.1.gz snort.log snort.log.1414262738
fred@fred-HP-Compaq-nc6220-PU982ET-ABU /var/log/snort $ less snort.log
"snort.log" may be a binary file. See it anyway?
As you configured snort.conf that way, in your directory output above "snort.log" either contains unified (binary) or packet logging and "alert" contains plain text alerts. You can find out what files contain with
Code:
file /var/log/snort/*
Also note that you have not returned earlier requested 'sudo pgrep -lf snort' information.
Snort BPF option: /var/log/syslog
Acquiring network traffic from "eth0".
ERROR: Can't set DAQ BPF filter to '/var/log/syslog' (pcap_daq_set_filter: pcap_compile: syntax error)!
As you haven't noticed / diagnosed it yourself, couple of remarks here. Snort appears to be listening on eth0 (instead of eth1) and somehow another option was incomplete as it seems to think it now uses a BPF (Berkeley Packet Filter). So either you have fiddled with options again, or maybe it's the Debian startup script, and until you figure out what it is you should run Snort in the way we determined it runs OK:
Code:
sudo snort -c /etc/snort/snort.conf -A fast -D -i eth1
That's neither preferable or satisfactory but that's the best I can suggest for now.
I did notice snort is tracking on eth0, this is the problem and that is why I suggested changing the conf file line containing 'any' to 'eth1,eth0'.
I did look for bfp entries in snort.conf, eg:
Code:
fred@fred-HP-Compaq-nc6220-PU982ET-ABU ~ $ sudo grep -i bpf /etc/snort/snort.conf
[sudo] password for fred:
# Configure default bpf_file to use for filtering what traffic reaches snort. For more information see snort -h command line options (-F)
# config bpf_file:
There is nothing relating to BPF below that last line I can see.
Then I tried the following:
Code:
fred@fred-HP-Compaq-nc6220-PU982ET-ABU ~ $ sudo snort -c /etc/snort/snort.conf -A fast -D -i eth1 -v -T
[sudo] password for fred:
fred@fred-HP-Compaq-nc6220-PU982ET-ABU ~ $ sudo service snort stop
* Stopping Network Intrusion Detection System snort * - No running snort instance found
fred@fred-HP-Compaq-nc6220-PU982ET-ABU ~ $ sudo snort -c /etc/snort/snort.conf -A fast -D -i eth1 -v -T
fred@fred-HP-Compaq-nc6220-PU982ET-ABU ~ $ sudo snort -c /etc/snort/snort.conf -A fast -D -i eth1
Spawning daemon child...
My daemon child 2884 lives...
Daemon parent exiting (0)
fred@fred-HP-Compaq-nc6220-PU982ET-ABU ~ $ sudo service snort status
* Status of snort daemon(s) [ OK ]
fred@fred-HP-Compaq-nc6220-PU982ET-ABU ~ $ sudo service snort restart
* Stopping Network Intrusion Detection System snort [ OK ]
* Starting Network Intrusion Detection System snort [ OK ]
fred@fred-HP-Compaq-nc6220-PU982ET-ABU ~ $ pgrep -lf snort
2956 snort
fred@fred-HP-Compaq-nc6220-PU982ET-ABU ~ $ pgrep -lf snort | grep eth1
fred@fred-HP-Compaq-nc6220-PU982ET-ABU ~ $ pgrep -lf snort | grep eth0
However, now getting this from syslog:
Code:
--
Nov 5 23:27:35 fred-HP-Compaq-nc6220-PU982ET-ABU snort[2947]: [ Number of patterns truncated to 20 bytes: 1039 ]
Nov 5 23:27:35 fred-HP-Compaq-nc6220-PU982ET-ABU snort[2947]: pcap DAQ configured to passive.
Nov 5 23:27:35 fred-HP-Compaq-nc6220-PU982ET-ABU snort[2947]: Acquiring network traffic from "eth1".
Nov 5 23:27:35 fred-HP-Compaq-nc6220-PU982ET-ABU snort[2947]: Initializing daemon mode
Nov 5 23:27:35 fred-HP-Compaq-nc6220-PU982ET-ABU snort[2956]: Daemon initialized, signaled parent pid: 2947
Nov 5 23:27:35 fred-HP-Compaq-nc6220-PU982ET-ABU snort[2956]: Reload thread starting...
Nov 5 23:27:35 fred-HP-Compaq-nc6220-PU982ET-ABU snort[2956]: Reload thread started, thread 0x9f36db40 (2957)
Nov 5 23:27:35 fred-HP-Compaq-nc6220-PU982ET-ABU snort[2956]: Decoding Ethernet
Nov 5 23:27:35 fred-HP-Compaq-nc6220-PU982ET-ABU snort[2956]: Checking PID path...
Nov 5 23:27:35 fred-HP-Compaq-nc6220-PU982ET-ABU snort[2956]: PID path stat checked out ok, PID path set to /var/run/
Nov 5 23:27:35 fred-HP-Compaq-nc6220-PU982ET-ABU snort[2956]: Writing PID "2956" to file "/var/run//snort_eth1.pid"
Nov 5 23:27:35 fred-HP-Compaq-nc6220-PU982ET-ABU snort[2956]: Set gid to 127
Nov 5 23:27:35 fred-HP-Compaq-nc6220-PU982ET-ABU snort[2956]: Set uid to 116
Nov 5 23:27:35 fred-HP-Compaq-nc6220-PU982ET-ABU snort[2956]:
Nov 5 23:27:35 fred-HP-Compaq-nc6220-PU982ET-ABU snort[2956]: --== Initialization Complete ==--
Nov 5 23:27:35 fred-HP-Compaq-nc6220-PU982ET-ABU snort[2956]: Commencing packet processing (pid=2956)
This is the tail end.
pgrep still does not give a eth1 indication syslog seems to, so that seems to be progress?
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.