Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I'm trying to set up a home network, and am not understanding how snort (2.2.0) works. My internet connection is pppoe dsl, I have linux fedora core2 on the firewall box, and have set up shorewall by hand with nat enabled. The firewall and nat work fine now as far as I can tell.
I have snort installed, and have spent many hours reading trying to figure out how it works. When I use a command like snort -A fast -l /var/log/snort -d -i eth0, snort logs offending ip addresses in /var/log/snort as directories, but never writes anything to /var/log/snort/alert. (At first I thought I should use ppp0 as interface, but snort never logs anything at all, even when I scan my machine.). Now, I would like to run snort in ids mode, so according to what I've read I should use a command like snort -A fast -d -i eth0 -c /etc/snort.conf. However, when I use that command, nothing ever gets logged, and nothing gets written to the alerts file (or any syslog file either). I would eventually like to use something like Dan's Guardian to block offending sites, but Guardian uses the snort alert file, which is always empty. Why isn't anything getting written to the alerts file? Shouldn't the events that cause logging to occur get written to the alert file? I honestly don't understand how it works, and at this point the more I read the more confused I get.
Below is my snort.conf file. Snort.conf is supposedly self explanatory, but not to a newbie like me. I'm using the default rule set, which I put in /etc/snort/rules. Can anyone point me in the right direction?
snort.conf lines-------------------------
var HOME_NET 192.168.0.0/24
var EXTERNAL_NET any
var DNS_SERVERS $HOME_NET
var SMTP_SERVERS $HOME_NET
var HTTP_SERVERS $HOME_NET
var SQL_SERVERS $HOME_NET
var TELNET_SERVERS $HOME_NET
var SNMP_SERVERS $HOME_NET
var HTTP_PORTS 80
var SHELLCODE_PORTS !80
var ORACLE_PORTS 1521
var AIM_SERVERS [64.12.24.0/24,64.12.25.0/24,64.12.26.14/24,64.12.28.0/24,64.12.29.0/24,64.12.161.0/24,64.12.163.0/24,205.188.5.0/24,205.188.9.0/24]
var RULE_PATH /etc/snort/rules
preprocessor flow: stats_interval 0 hash 2
preprocessor frag2
preprocessor stream4: disable_evasion_alerts
preprocessor stream4_reassemble
preprocessor http_inspect: global \
iis_unicode_map unicode.map 1252
preprocessor http_inspect_server: server default \
profile all ports { 80 8080 8180 } oversize_dir_length 500
preprocessor rpc_decode: 111 32771
preprocessor bo
preprocessor telnet_decode
include classification.config
include reference.config
include $RULE_PATH/local.rules
include $RULE_PATH/bad-traffic.rules
include $RULE_PATH/exploit.rules
include $RULE_PATH/scan.rules
include $RULE_PATH/finger.rules
include $RULE_PATH/ftp.rules
include $RULE_PATH/telnet.rules
include $RULE_PATH/rpc.rules
include $RULE_PATH/rservices.rules
include $RULE_PATH/dos.rules
include $RULE_PATH/ddos.rules
include $RULE_PATH/dns.rules
include $RULE_PATH/tftp.rules
include $RULE_PATH/web-cgi.rules
include $RULE_PATH/web-coldfusion.rules
include $RULE_PATH/web-iis.rules
include $RULE_PATH/web-frontpage.rules
include $RULE_PATH/web-misc.rules
include $RULE_PATH/web-client.rules
include $RULE_PATH/web-php.rules
include $RULE_PATH/sql.rules
include $RULE_PATH/x11.rules
include $RULE_PATH/icmp.rules
include $RULE_PATH/netbios.rules
include $RULE_PATH/misc.rules
include $RULE_PATH/attack-responses.rules
include $RULE_PATH/oracle.rules
include $RULE_PATH/mysql.rules
include $RULE_PATH/snmp.rules
include $RULE_PATH/smtp.rules
include $RULE_PATH/imap.rules
include $RULE_PATH/pop2.rules
include $RULE_PATH/pop3.rules
include $RULE_PATH/nntp.rules
include $RULE_PATH/other-ids.rules
include $RULE_PATH/virus.rules
include $RULE_PATH/experimental.rules
After you run snort (with: snort -A fast -d -i eth0 -c /etc/snort.conf), use CTRL-C to end snort, then look at snort's statistics dump. Specifically look at the numbers under the section "Action Stats". It should look like this:
Code:
Snort analyzed 71 out of 71 packets, dropping 0(0.000%) packets
Breakdown by protocol: Action Stats:
TCP: 30 (42.254%) ALERTS: 3
UDP: 4 (5.634%) LOGGED: 4
ICMP: 0 (0.000%) PASSED: 0
Make sure that the ALERT section is non-zero. If ALERT is persistently zero, then the positioning of the sensor is incorrect and snort just isn't seeing any malicious traffic. You can try using a port scan or even snort-sneeze to generate alert packets and see if those will generate entries under the ALERT stat. I tried using your rule on one of my snort sensors and it logged alerts to /var/log/snort/alert just fine, so it's not incorrect syntax. Also make sure that your sniffing the right interface; use snort -i <interface> -vde. If it's working properly, it should generate a large number of packets. Also make sure the sensor is located in a position where it will see malicious traffic. If you put it in a LAN behind a firewall with a bunch of trusted machines, it's very likely you won't see many alerts at all (if any).
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.