snort alert and logging
I'm trying to set up a home network, and am not understanding how snort (2.2.0) works. My internet connection is pppoe dsl, I have linux fedora core2 on the firewall box, and have set up shorewall by hand with nat enabled. The firewall and nat work fine now as far as I can tell.
I have snort installed, and have spent many hours reading trying to figure out how it works. When I use a command like snort -A fast -l /var/log/snort -d -i eth0, snort logs offending ip addresses in /var/log/snort as directories, but never writes anything to /var/log/snort/alert. (At first I thought I should use ppp0 as interface, but snort never logs anything at all, even when I scan my machine.). Now, I would like to run snort in ids mode, so according to what I've read I should use a command like snort -A fast -d -i eth0 -c /etc/snort.conf. However, when I use that command, nothing ever gets logged, and nothing gets written to the alerts file (or any syslog file either). I would eventually like to use something like Dan's Guardian to block offending sites, but Guardian uses the snort alert file, which is always empty. Why isn't anything getting written to the alerts file? Shouldn't the events that cause logging to occur get written to the alert file? I honestly don't understand how it works, and at this point the more I read the more confused I get. Below is my snort.conf file. Snort.conf is supposedly self explanatory, but not to a newbie like me. I'm using the default rule set, which I put in /etc/snort/rules. Can anyone point me in the right direction? snort.conf lines------------------------- var HOME_NET 192.168.0.0/24 var EXTERNAL_NET any var DNS_SERVERS $HOME_NET var SMTP_SERVERS $HOME_NET var HTTP_SERVERS $HOME_NET var SQL_SERVERS $HOME_NET var TELNET_SERVERS $HOME_NET var SNMP_SERVERS $HOME_NET var HTTP_PORTS 80 var SHELLCODE_PORTS !80 var ORACLE_PORTS 1521 var AIM_SERVERS [64.12.24.0/24,64.12.25.0/24,64.12.26.14/24,64.12.28.0/24,64.12.29.0/24,64.12.161.0/24,64.12.163.0/24,205.188.5.0/24,205.188.9.0/24] var RULE_PATH /etc/snort/rules preprocessor flow: stats_interval 0 hash 2 preprocessor frag2 preprocessor stream4: disable_evasion_alerts preprocessor stream4_reassemble preprocessor http_inspect: global \ iis_unicode_map unicode.map 1252 preprocessor http_inspect_server: server default \ profile all ports { 80 8080 8180 } oversize_dir_length 500 preprocessor rpc_decode: 111 32771 preprocessor bo preprocessor telnet_decode include classification.config include reference.config include $RULE_PATH/local.rules include $RULE_PATH/bad-traffic.rules include $RULE_PATH/exploit.rules include $RULE_PATH/scan.rules include $RULE_PATH/finger.rules include $RULE_PATH/ftp.rules include $RULE_PATH/telnet.rules include $RULE_PATH/rpc.rules include $RULE_PATH/rservices.rules include $RULE_PATH/dos.rules include $RULE_PATH/ddos.rules include $RULE_PATH/dns.rules include $RULE_PATH/tftp.rules include $RULE_PATH/web-cgi.rules include $RULE_PATH/web-coldfusion.rules include $RULE_PATH/web-iis.rules include $RULE_PATH/web-frontpage.rules include $RULE_PATH/web-misc.rules include $RULE_PATH/web-client.rules include $RULE_PATH/web-php.rules include $RULE_PATH/sql.rules include $RULE_PATH/x11.rules include $RULE_PATH/icmp.rules include $RULE_PATH/netbios.rules include $RULE_PATH/misc.rules include $RULE_PATH/attack-responses.rules include $RULE_PATH/oracle.rules include $RULE_PATH/mysql.rules include $RULE_PATH/snmp.rules include $RULE_PATH/smtp.rules include $RULE_PATH/imap.rules include $RULE_PATH/pop2.rules include $RULE_PATH/pop3.rules include $RULE_PATH/nntp.rules include $RULE_PATH/other-ids.rules include $RULE_PATH/virus.rules include $RULE_PATH/experimental.rules Thanks! |
After you run snort (with: snort -A fast -d -i eth0 -c /etc/snort.conf), use CTRL-C to end snort, then look at snort's statistics dump. Specifically look at the numbers under the section "Action Stats". It should look like this:
Code:
Snort analyzed 71 out of 71 packets, dropping 0(0.000%) packets |
All times are GMT -5. The time now is 11:52 PM. |