LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 02-20-2013, 11:44 PM   #1
arunpushkar
LQ Newbie
 
Registered: Feb 2013
Posts: 3

Rep: Reputation: Disabled
SNORT-2.9.4 Installed properly but NOT Logging ALERTS


USING snort 2.9.4, daq 2.0.0, snortrules-snapshot-2940

I have installed snort and after installation when i run following:
Code:
sudo snort -c /usr/local/snort/etc/snort.conf –dump-dynamic-rules=/usr/local/snort/so_rules
I Get:
Code:
Finished dumping dynamic rules.
Snort exiting
When i run this for testing installation:
Code:
sudo snort -c /usr/local/snort/etc/snort.conf -T -l /var/log/snort
I Get:
Code:
Snort successfully validated the configuration!
Snort exiting
When i Run following to find if it is capturing packets:
Code:
/usr/local/snort/bin/snort -i eth0
I can see traffic but when i use ' curl http://testmyids.com ' for testing SNORT installation it does not gives any alert in unified2 file which is being logged in /var/log/snort

snort config file has this line for logging into unified file :
Code:
output unified2: filename unified.snort.alert, limit 128
And for starting snort i am using following command line command:
Code:
sudo snort -c /usr/local/snort/etc/snort.conf -l /var/log/snort -i eth0
Every thing seems to be right but why is it not logging alerts as unified2 file is always 0 bytes?

Last edited by unSpawn; 02-21-2013 at 05:59 AM. Reason: //Undo unnecessary font stuff and use vBB code tags
 
Old 02-21-2013, 06:05 AM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,464
Blog Entries: 54

Rep: Reputation: 2899Reputation: 2899Reputation: 2899Reputation: 2899Reputation: 2899Reputation: 2899Reputation: 2899Reputation: 2899Reputation: 2899Reputation: 2899Reputation: 2899
Well done, concise but nearly complete post. Only one thing is missing: which rule exactly should your action trip? After all http://testmyids.com is just a plain (URI) string and nothing else. Most of the times you'll be looking for specific packet payloads and often in the direction of the Snort sensor. Please post the rule and if you created the rule yourself please explain what you derived its filter from if necessary.
 
Old 02-21-2013, 06:14 AM   #3
arunpushkar
LQ Newbie
 
Registered: Feb 2013
Posts: 3

Original Poster
Rep: Reputation: Disabled
No extra rule i have made. infact in fact while googling i found that in order to test your installed SNORT use curl http://testmyids.com it will generate bad traffic for your PC or IP and SNORT will generate alert. it use to work fine when i last installed SNORT-2.9.3 with snort-rules-snapshot-2931, but now when i have installed SNORT-2.9.4 with snort-rules-snapshot-2940 it is not generating any alerts for traffic from http://testmyids.com.
 
Old 02-21-2013, 06:26 AM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,464
Blog Entries: 54

Rep: Reputation: 2899Reputation: 2899Reputation: 2899Reputation: 2899Reputation: 2899Reputation: 2899Reputation: 2899Reputation: 2899Reputation: 2899Reputation: 2899Reputation: 2899
Quote:
Originally Posted by arunpushkar View Post
it use to work fine when i last installed SNORT-2.9.3 with snort-rules-snapshot-2931, but now when i have installed SNORT-2.9.4 with snort-rules-snapshot-2940 it is not generating any alerts for traffic from http://testmyids.com.
Well then the first thing would be to diff the two rule sets, see what changed between snapshots?
 
Old 02-21-2013, 07:54 AM   #5
arunpushkar
LQ Newbie
 
Registered: Feb 2013
Posts: 3

Original Poster
Rep: Reputation: Disabled
How to find what all changes have been made at what all places since there are many rule files under ../rules. and where can i find that specific rule in which i am intrested in.
 
Old 02-21-2013, 11:50 AM   #6
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,464
Blog Entries: 54

Rep: Reputation: 2899Reputation: 2899Reputation: 2899Reputation: 2899Reputation: 2899Reputation: 2899Reputation: 2899Reputation: 2899Reputation: 2899Reputation: 2899Reputation: 2899
'diff -urN /one/dir /other/dir'?
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Snort - no portscan and tcp alerts in snort av.dubey Linux - Software 6 07-11-2008 09:56 PM
snort alerts lord-fu Linux - Security 1 11-25-2005 03:28 PM
Snort Alerts ?? zahra79 Linux - Networking 5 06-22-2005 05:11 AM
how can I tell snort is running and logging alerts? nickbrico Linux - Security 2 03-18-2004 04:55 PM
Snort Alerts knight_ridda Linux - Security 13 06-21-2003 04:32 PM


All times are GMT -5. The time now is 02:09 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration