snort logs issue

rajat83 · 04-18-2008, 08:39 AM

Hi Folks,

I have recently configured snort, But I am not getting any parameter for
mentioning the alert/log file for the same. It shows me some output on my console whenever I run it through "-A console" option but it is not logging the same output in the /var/log/snort/alert .....
It is also showing me the other rotated files
[root@localhost ~]# tail -f /var/log/snort snort.log.1208447039 snort.log.1208482108
log snort.log.1208447756
snort.log.1208391152 snort.log.1208453267

but all the files are empty

Run time prior to being shutdown was 576.234571 seconds
===============================================================================
Packet Wire Totals:
Received: 3826
Analyzed: 3825 (99.974%)
Dropped: 0 (0.000%)
Outstanding: 1 (0.026%)
===============================================================================
Breakdown by protocol (includes rebuilt packets):
ETH: 3825 (100.000%)
ETHdisc: 0 (0.000%)
VLAN: 0 (0.000%)
IPV6: 0 (0.000%)
IP6 EXT: 0 (0.000%)
IP6opts: 0 (0.000%)
IP6disc: 0 (0.000%)
IP4: 3434 (89.778%)
IP4disc: 0 (0.000%)
TCP 6: 0 (0.000%)
UDP 6: 0 (0.000%)
ICMP6: 0 (0.000%)
ICMP-IP: 0 (0.000%)
TCP: 280 (7.320%)
UDP: 3125 (81.699%)
ICMP: 29 (0.758%)
TCPdisc: 0 (0.000%)
UDPdisc: 0 (0.000%)
ICMPdis: 0 (0.000%)
FRAG: 0 (0.000%)
FRAG 6: 0 (0.000%)
ARP: 61 (1.595%)
EAPOL: 0 (0.000%)
ETHLOOP: 55 (1.438%)
IPX: 0 (0.000%)
OTHER: 275 (7.190%)
DISCARD: 0 (0.000%)
InvChkSum: 0 (0.000%)
S5 G 1: 0 (0.000%)
S5 G 2: 0 (0.000%)
Total: 3825
===============================================================================
Action Stats:
ALERTS: 0
LOGGED: 0
PASSED: 0
===============================================================================
Frag3 statistics:
Total Fragments: 0
Frags Reassembled: 0
Discards: 0
Memory Faults: 0
Timeouts: 0
Overlaps: 0
Anomalies: 0
Alerts: 0
FragTrackers Added: 0
FragTrackers Dumped: 0
FragTrackers Auto Freed: 0
Frag Nodes Inserted: 0
Frag Nodes Deleted: 0
===============================================================================
Stream5 statistics:
Total sessions: 12
TCP sessions: 12
UDP sessions: 0
ICMP sessions: 0
TCP Prunes: 0
UDP Prunes: 0
ICMP Prunes: 0
TCP StreamTrackers Created: 12
TCP StreamTrackers Deleted: 12
TCP Timeouts: 2
TCP Overlaps: 0
TCP Segments Queued: 0
TCP Segments Released: 0
TCP Rebuilt Packets: 0
TCP Segments Used: 0
TCP Discards: 2
UDP Sessions Created: 0
UDP Sessions Deleted: 0
UDP Timeouts: 0
UDP Discards: 0
Events: 0
===============================================================================
HTTP Inspect - encodings (Note: stream-reassembled packets included):
POST methods: 0
GET methods: 0
Post parameters extracted: 0
Unicode: 0
Double unicode: 0
Non-ASCII representable: 0
Base 36: 0
Directory traversals: 0
Extra slashes ("//"): 0
Self-referencing paths ("./"): 0
Total packets processed: 124
===============================================================================
===============================================================================
Snort exiting

Showing some traffic also
But I wonder that I am not getting any option for logging alerts.
Also tell me how can I see the pkt output like ethreal.

Thanks in advance

lintoolman · 04-18-2008, 09:01 AM

I'm not sure what your issues is. But I would make sure your rules are not commented out.

rajat83 · 04-18-2008, 10:13 PM

That's what I am saying dear , I am not getting any arameter in the configuration file to define the path for alerts or logs.
So tell me the parameter..........

lintoolman · 04-21-2008, 04:36 AM

Find the Unified section and make sure the lines beginning with "output" are not commented out.

This is the howto I used to set up my snort box:

http://www.howtoforge.com/intrusion-...u-7.10-updated

This put all of the logs into a mysql database, but you can still output the logs to log files like were trying to accomplish.