LinuxQuestions.org
View the Most Wanted LQ Wiki articles.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 08-13-2004, 10:33 PM   #1
wilcsnyder
LQ Newbie
 
Registered: Dec 2001
Location: Guizhou, China
Distribution: rh
Posts: 13

Rep: Reputation: 0
snort alert and logging


I'm trying to set up a home network, and am not understanding how snort (2.2.0) works. My internet connection is pppoe dsl, I have linux fedora core2 on the firewall box, and have set up shorewall by hand with nat enabled. The firewall and nat work fine now as far as I can tell.

I have snort installed, and have spent many hours reading trying to figure out how it works. When I use a command like snort -A fast -l /var/log/snort -d -i eth0, snort logs offending ip addresses in /var/log/snort as directories, but never writes anything to /var/log/snort/alert. (At first I thought I should use ppp0 as interface, but snort never logs anything at all, even when I scan my machine.). Now, I would like to run snort in ids mode, so according to what I've read I should use a command like snort -A fast -d -i eth0 -c /etc/snort.conf. However, when I use that command, nothing ever gets logged, and nothing gets written to the alerts file (or any syslog file either). I would eventually like to use something like Dan's Guardian to block offending sites, but Guardian uses the snort alert file, which is always empty. Why isn't anything getting written to the alerts file? Shouldn't the events that cause logging to occur get written to the alert file? I honestly don't understand how it works, and at this point the more I read the more confused I get.

Below is my snort.conf file. Snort.conf is supposedly self explanatory, but not to a newbie like me. I'm using the default rule set, which I put in /etc/snort/rules. Can anyone point me in the right direction?

snort.conf lines-------------------------

var HOME_NET 192.168.0.0/24

var EXTERNAL_NET any

var DNS_SERVERS $HOME_NET

var SMTP_SERVERS $HOME_NET

var HTTP_SERVERS $HOME_NET

var SQL_SERVERS $HOME_NET

var TELNET_SERVERS $HOME_NET

var SNMP_SERVERS $HOME_NET

var HTTP_PORTS 80

var SHELLCODE_PORTS !80

var ORACLE_PORTS 1521

var AIM_SERVERS [64.12.24.0/24,64.12.25.0/24,64.12.26.14/24,64.12.28.0/24,64.12.29.0/24,64.12.161.0/24,64.12.163.0/24,205.188.5.0/24,205.188.9.0/24]

var RULE_PATH /etc/snort/rules

preprocessor flow: stats_interval 0 hash 2

preprocessor frag2

preprocessor stream4: disable_evasion_alerts

preprocessor stream4_reassemble

preprocessor http_inspect: global \
iis_unicode_map unicode.map 1252

preprocessor http_inspect_server: server default \
profile all ports { 80 8080 8180 } oversize_dir_length 500

preprocessor rpc_decode: 111 32771

preprocessor bo

preprocessor telnet_decode

include classification.config

include reference.config

include $RULE_PATH/local.rules
include $RULE_PATH/bad-traffic.rules
include $RULE_PATH/exploit.rules
include $RULE_PATH/scan.rules
include $RULE_PATH/finger.rules
include $RULE_PATH/ftp.rules
include $RULE_PATH/telnet.rules
include $RULE_PATH/rpc.rules
include $RULE_PATH/rservices.rules
include $RULE_PATH/dos.rules
include $RULE_PATH/ddos.rules
include $RULE_PATH/dns.rules
include $RULE_PATH/tftp.rules
include $RULE_PATH/web-cgi.rules
include $RULE_PATH/web-coldfusion.rules
include $RULE_PATH/web-iis.rules
include $RULE_PATH/web-frontpage.rules
include $RULE_PATH/web-misc.rules
include $RULE_PATH/web-client.rules
include $RULE_PATH/web-php.rules
include $RULE_PATH/sql.rules
include $RULE_PATH/x11.rules
include $RULE_PATH/icmp.rules
include $RULE_PATH/netbios.rules
include $RULE_PATH/misc.rules
include $RULE_PATH/attack-responses.rules
include $RULE_PATH/oracle.rules
include $RULE_PATH/mysql.rules
include $RULE_PATH/snmp.rules
include $RULE_PATH/smtp.rules
include $RULE_PATH/imap.rules
include $RULE_PATH/pop2.rules
include $RULE_PATH/pop3.rules
include $RULE_PATH/nntp.rules
include $RULE_PATH/other-ids.rules
include $RULE_PATH/virus.rules
include $RULE_PATH/experimental.rules


Thanks!
 
Old 08-16-2004, 07:08 PM   #2
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 57
After you run snort (with: snort -A fast -d -i eth0 -c /etc/snort.conf), use CTRL-C to end snort, then look at snort's statistics dump. Specifically look at the numbers under the section "Action Stats". It should look like this:
Code:
Snort analyzed 71 out of 71 packets, dropping 0(0.000%) packets

Breakdown by protocol:                Action Stats:
    TCP: 30         (42.254%)         ALERTS: 3
    UDP: 4          (5.634%)          LOGGED: 4
   ICMP: 0          (0.000%)          PASSED: 0
Make sure that the ALERT section is non-zero. If ALERT is persistently zero, then the positioning of the sensor is incorrect and snort just isn't seeing any malicious traffic. You can try using a port scan or even snort-sneeze to generate alert packets and see if those will generate entries under the ALERT stat. I tried using your rule on one of my snort sensors and it logged alerts to /var/log/snort/alert just fine, so it's not incorrect syntax. Also make sure that your sniffing the right interface; use snort -i <interface> -vde. If it's working properly, it should generate a large number of packets. Also make sure the sensor is located in a position where it will see malicious traffic. If you put it in a LAN behind a firewall with a bunch of trusted machines, it's very likely you won't see many alerts at all (if any).
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Snort alert Problem bharathvn Linux - Security 9 11-21-2005 08:24 AM
snort not logging port scans? Should I use log or alert? lucastic Linux - Security 3 08-30-2004 04:34 AM
Snort alert / Am i attacking ? exalik Linux - Security 6 10-22-2003 03:55 PM
Snort: Unusual Alert Destination robeb Linux - Networking 0 02-28-2003 08:29 PM
Snort Alert - What should I do? tarballedtux Linux - Security 1 04-06-2002 05:26 AM


All times are GMT -5. The time now is 04:54 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration