I'm trying to set up a home network, and am not understanding how snort (2.2.0) works. My internet connection is pppoe dsl, I have linux fedora core2 on the firewall box, and have set up shorewall by hand with nat enabled. The firewall and nat work fine now as far as I can tell.

I have snort installed, and have spent many hours reading trying to figure out how it works. When I use a command like snort -A fast -l /var/log/snort -d -i eth0, snort logs offending ip addresses in /var/log/snort as directories, but never writes anything to /var/log/snort/alert. (At first I thought I should use ppp0 as interface, but snort never logs anything at all, even when I scan my machine.). Now, I would like to run snort in ids mode, so according to what I've read I should use a command like snort -A fast -d -i eth0 -c /etc/snort.conf. However, when I use that command, nothing ever gets logged, and nothing gets written to the alerts file (or any syslog file either). I would eventually like to use something like Dan's Guardian to block offending sites, but Guardian uses the snort alert file, which is always empty. Why isn't anything getting written to the alerts file? Shouldn't the events that cause logging to occur get written to the alert file? I honestly don't understand how it works, and at this point the more I read the more confused I get.

Below is my snort.conf file. Snort.conf is supposedly self explanatory, but not to a newbie like me. I'm using the default rule set, which I put in /etc/snort/rules. Can anyone point me in the right direction?

snort.conf lines-------------------------

var HOME_NET 192.168.0.0/24

var EXTERNAL_NET any

var DNS_SERVERS $HOME_NET

var SMTP_SERVERS $HOME_NET

var HTTP_SERVERS $HOME_NET

var SQL_SERVERS $HOME_NET

var TELNET_SERVERS $HOME_NET

var SNMP_SERVERS $HOME_NET

var HTTP_PORTS 80

var SHELLCODE_PORTS !80

var ORACLE_PORTS 1521

var AIM_SERVERS [64.12.24.0/24,64.12.25.0/24,64.12.26.14/24,64.12.28.0/24,64.12.29.0/24,64.12.161.0/24,64.12.163.0/24,205.188.5.0/24,205.188.9.0/24]

var RULE_PATH /etc/snort/rules

preprocessor flow: stats_interval 0 hash 2

preprocessor frag2

preprocessor stream4: disable_evasion_alerts

preprocessor stream4_reassemble

preprocessor http_inspect: global \
iis_unicode_map unicode.map 1252

preprocessor http_inspect_server: server default \
profile all ports { 80 8080 8180 } oversize_dir_length 500

preprocessor rpc_decode: 111 32771

preprocessor bo

preprocessor telnet_decode

include classification.config

include reference.config

include $RULE_PATH/local.rules
include $RULE_PATH/bad-traffic.rules
include $RULE_PATH/exploit.rules
include $RULE_PATH/scan.rules
include $RULE_PATH/finger.rules
include $RULE_PATH/ftp.rules
include $RULE_PATH/telnet.rules
include $RULE_PATH/rpc.rules
include $RULE_PATH/rservices.rules
include $RULE_PATH/dos.rules
include $RULE_PATH/ddos.rules
include $RULE_PATH/dns.rules
include $RULE_PATH/tftp.rules
include $RULE_PATH/web-cgi.rules
include $RULE_PATH/web-coldfusion.rules
include $RULE_PATH/web-iis.rules
include $RULE_PATH/web-frontpage.rules
include $RULE_PATH/web-misc.rules
include $RULE_PATH/web-client.rules
include $RULE_PATH/web-php.rules
include $RULE_PATH/sql.rules
include $RULE_PATH/x11.rules
include $RULE_PATH/icmp.rules
include $RULE_PATH/netbios.rules
include $RULE_PATH/misc.rules
include $RULE_PATH/attack-responses.rules
include $RULE_PATH/oracle.rules
include $RULE_PATH/mysql.rules
include $RULE_PATH/snmp.rules
include $RULE_PATH/smtp.rules
include $RULE_PATH/imap.rules
include $RULE_PATH/pop2.rules
include $RULE_PATH/pop3.rules
include $RULE_PATH/nntp.rules
include $RULE_PATH/other-ids.rules
include $RULE_PATH/virus.rules
include $RULE_PATH/experimental.rules


Thanks!

After you run snort (with: snort -A fast -d -i eth0 -c /etc/snort.conf), use CTRL-C to end snort, then look at snort's statistics dump. Specifically look at the numbers under the section "Action Stats". It should look like this:
Make sure that the ALERT section is non-zero. If ALERT is persistently zero, then the positioning of the sensor is incorrect and snort just isn't seeing any malicious traffic. You can try using a port scan or even snort-sneeze to generate alert packets and see if those will generate entries under the ALERT stat. I tried using your rule on one of my snort sensors and it logged alerts to /var/log/snort/alert just fine, so it's not incorrect syntax. Also make sure that your sniffing the right interface; use snort -i <interface> -vde. If it's working properly, it should generate a large number of packets. Also make sure the sensor is located in a position where it will see malicious traffic. If you put it in a LAN behind a firewall with a bunch of trusted machines, it's very likely you won't see many alerts at all (if any).