I am currently running snort on the same box as iptables which does NAT to a web server on our internal network. However,although ICMP and port scans do get logged nothing else seems to. Is there something obvious I'm missing? I see attempted IIS exploits regularly in the http logs but nothing from snort even though it has the latest set of vulnerabilities

I run snort 1.8.6 as

/usr/sbin/snort -c /etc/snort/snort.conf -D

and have configured the snort.conf with

output alert_syslog: LOG_AUTH LOG_ALERT

Finally is there a good way of testing all your snort rules automatically?

Maybe no corrsponding syslog entry? Your /etc/syslog.conf should have a line like
"auth.alert<tab><tab>/wherever/we/place/logfile.name" if you would do it strict (man sysconf).
Snort incorporates a test switch (man snort).

No, I have the auth.alert in my syslog.conf and a logger -p auth.alert "blah" gets correctly logged.
this is what I get from the test switch

[root@xxx etc]# snort -T -c /etc/snort/snort.conf
Log directory = /var/log/snort

Initializing Network Interface eth0

--== Initializing Snort ==--
Decoding Ethernet on interface eth0
Initializing Preprocessors!
Initializing Plug-ins!
Initializating Output Plugins!
Parsing Rules file /etc/snort/snort.conf

+++++++++++++++++++++++++++++++++++++++++++++++++++
Initializing rule chains...
No arguments to frag2 directive, setting defaults to:
Fragment timeout: 60 seconds
Fragment memory cap: 4194304 bytes
Stream4 config:
Stateful inspection: ACTIVE
Session statistics: INACTIVE
Session timeout: 30 seconds
Session memory cap: 8388608 bytes
State alerts: INACTIVE
Scan alerts: ACTIVE
Log Flushed Streams: INACTIVE
No arguments to stream4_reassemble, setting defaults:
Reassemble client: ACTIVE
Reassemble server: INACTIVE
Reassemble ports: 21 23 25 53 80 143 110 111 513
Reassembly alerts: ACTIVE
Reassembly method: FAVOR_OLD
Back Orifice detection brute force: DISABLED
Using LOCAL time
1281 Snort rules read...
1281 Option Chains linked into 154 Chain Headers
0 Dynamic rules
+++++++++++++++++++++++++++++++++++++++++++++++++++

Rule application order: ->activation->dynamic->alert->pass->log

--== Initialization Complete ==--

-*> Snort! <*-
Version 1.8.6 (Build 105)
By Martin Roesch (roesch@sourcefire.com, www.snort.org)

Snort sucessfully loaded all rules and checked all rule chains!


Any other suggestions?

Any ideas?

Hmm. For speed/lack of need I usually leave out some rulefiles... Did you check you loaded the web-iis.rules in your snort.conf?
Btw, you tried asking this on the snort mailinglist?

Yes, I have the web-iis rules in and also I have asked on the Snort forums but no reply received yet...

Here is the snort.conf (with obscured IP addresses) in case I am missing the blindingly obvious...

#--------------------------------------------------
# http://www.snort.org Snort 1.8.6 Ruleset

var HOME_NET x.x.x.x

var EXTERNAL_NET any

var SMTP $HOME_NET

var HTTP_SERVERS $HOME_NET

var SQL_SERVERS $HOME_NET

var DNS_SERVERS [x.x.x.x]

var RULE_PATH ./

var SHELLCODE_PORTS !80

###################################################
# Step #2: Configure preprocessors
#
# frag2: IP defragmentation support
# -------------------------------
preprocessor frag2

# stream4: stateful inspection/stream reassembly for Snort
preprocessor stream4: detect_scans

# tcp stream reassembly directive
preprocessor stream4_reassemble

# http_decode: normalize HTTP requests
preprocessor http_decode: 80 -unicode -cginull


preprocessor rpc_decode: 111 32771

# bo: Back Orifice detector
preprocessor bo: -nobrute

# telnet_decode: Telnet negotiation string normalizer
preprocessor telnet_decode

# portscan: detect a variety of portscans
preprocessor portscan: $HOME_NET 4 3 portscan.log

####################################################################
# Step #3: Configure output plugins
#
# Uncomment and configure the output plugins you decide to use.
# General configuration for output plugins is of the form:
#
# output <name_of_plugin>: <configuration_options>
#
# alert_syslog: log alerts to syslog
# ----------------------------------
# Use one or more syslog facilities as arguments
#
output alert_syslog: LOG_AUTH LOG_ALERT

# log_tcpdump: log packets in binary tcpdump format
# -------------------------------------------------
# The only argument is the output file name.
#
# output log_tcpdump: snort.log

# database: log to a variety of databases
# ---------------------------------------
# See the README.database file for more information about configuring
# and using this plugin.
#
# output database: log, mysql, user=root password=test dbname=db host=localhost
# output database: alert, postgresql, user=snort dbname=snort
# output database: log, unixodbc, user=snort dbname=snort
# output database: log, mssql, dbname=snort user=snort password=test

# xml: xml logging
# ----------------
# See the README.xml file for more information about configuring
# and using this plugin.
#
#output xml: log, file=/var/log/snortxml

# unified: Snort unified binary format alerting and logging
# -------------------------------------------------------------
# The unified output plugin provides two new formats for logging
# and generating alerts from Snort, the "unified" format. The
# unified format is a straight binary format for logging data
# out of Snort that is designed to be fast and efficient. Used
# with barnyard (the new alert/log processor), most of the overhead
# for logging and alerting to various slow storage mechanisms
# such as databases or the network can now be avoided.
#
# Check out the spo_unified.h file for the data formats.
#
# Two arguments are supported.
# filename - base filename to write to (current time_t is appended)
# limit - maximum size of spool file in MB (default: 128)
#
# output alert_unified: filename snort.alert, limit 128
# output log_unified: filename snort.log, limit 128


# trap_snmp: SNMP alerting for Snort
# -------------------------------------------------------------
# Read the README-SNMP file for more information on enabling and using this
# plug-in.
#
#
# The SnmpTrapGenerator outputplugin requires several parameters
# The parameters depend on the Snmpversion that is used (specified)
# For the SNMPv2c case the paremeters will be as follows
# alert, <sensorID>, {trap|inform} -v <SnmpVersion> -p <portNumber>
# <hostName> <community>
#
# For SNMPv2c traps
#
#output trap_snmp: alert, 7, trap -v 2c -p 162 myTrapListener myCommunity
#
# For SNMPv2c informs
#
#output trap_snmp: alert, 7, inform -v 2c -p 162 myTrapListener myCommunity
#
# For SNMPv3 traps with
# security name = snortUser
# security level = authentication and privacy
# authentication parameters :
# authentication protocol = SHA ,
# authentication pass phrase = SnortAuthPassword
# privacy (encryption) parameters
# privacy protocol = DES,
# privacy pass phrase = SnortPrivPassword
#
#output trap_snmp: alert, 7, trap -v 3 -p 162 -u snortUser -l authPriv -a SHA -A SnortAuthPassword -x DES -X SnortPrivPassword myTrapListener
#For SNMPv3 informs with authentication and encryption
#output trap_snmp: alert, 7, inform -v 3 -p 162 -u snortUser -l authPriv -a SHA -A SnortAuthPassword -x DES -X SnortPrivPassword myTrapListener

# You can optionally define new rule types and associate one or
# more output plugins specifically to that type.
#
# This example will create a type that will log to just tcpdump.
# ruletype suspicious
# {
# type log
# output log_tcpdump: suspicious.log
# }
#
# EXAMPLE RULE FOR SUSPICIOUS RULETYPE:
# suspicious $HOME_NET any -> $HOME_NET 6667 (msg:"Internal IRC Server"
#
# This example will create a rule type that will log to syslog
# and a mysql database.
# ruletype redalert
# {
# type alert
# output alert_syslog: LOG_AUTH LOG_ALERT
# output database: log, mysql, user=snort dbname=snort host=localhost
# }
#
# EXAMPLE RULE FOR REDALERT RULETYPE
# redalert $HOME_NET any -> $EXTERNAL_NET 31337 (msg:"Someone is being LEET"; \
# flags:A+

#
# Include classification & priority settings
#

include classification.config


####################################################################
# Step #4: Customize your rule set
#
# Up to date snort rules are available at http://www.snort.org
#
# The snort web site has documentation about how to write your own
# custom snort rules.
#
# The rules included with this distribution generate alerts based on
# on suspicious activity. Depending on your network environment, your
# security policies, and what you consider to be suspicious, some of
# these rules may either generate false positives ore may be detecting
# activity you consider to be acceptable; therefore, you are
# encouraged to comment out rules that are not applicable in your
# environment.
#
# Note that using all of the rules at the same time may lead to
# serious packet loss on slower machines. YMMV, use with caution,
# standard disclaimers apply.
#
# The following individuals contributed many of rules in this
# distribution.
#
# Credits:
# Ron Gula <rgula@securitywizards.com> of Network Security Wizards
# Max Vision <vision@whitehats.com>
# Martin Markgraf <martin@mail.du.gtn.com>
# Fyodor Yarochkin <fygrave@tigerteam.net>
# Nick Rogness <nick@rapidnet.com>
# Jim Forster <jforster@rapidnet.com>
# Scott McIntyre <scott@whoi.edu>
# Tom Vandepoel <Tom.Vandepoel@ubizen.com>
# Brian Caswell <bmc@snort.org>
# Zeno <admin@cgisecurity.com>
# Ryan Russell <ryan@securityfocus.com>
#
#=========================================
# Include all relevant rulesets here
#
# shellcode, policy, info, backdoor, and virus rulesets are
# disabled by default. These require tuning and maintance.
# Please read the included specific file for more information.
#=========================================

include $RULE_PATH/bad-traffic.rules
include $RULE_PATH/exploit.rules
include $RULE_PATH/scan.rules
include $RULE_PATH/finger.rules
include $RULE_PATH/ftp.rules
include $RULE_PATH/telnet.rules
include $RULE_PATH/smtp.rules
include $RULE_PATH/rpc.rules
include $RULE_PATH/rservices.rules
include $RULE_PATH/dos.rules
include $RULE_PATH/ddos.rules
include $RULE_PATH/dns.rules
include $RULE_PATH/tftp.rules
include $RULE_PATH/web-cgi.rules
include $RULE_PATH/web-coldfusion.rules
include $RULE_PATH/web-iis.rules
include $RULE_PATH/web-frontpage.rules
include $RULE_PATH/web-misc.rules
include $RULE_PATH/web-attacks.rules
include $RULE_PATH/sql.rules
include $RULE_PATH/x11.rules
include $RULE_PATH/icmp.rules
include $RULE_PATH/netbios.rules
include $RULE_PATH/misc.rules
include $RULE_PATH/attack-responses.rules
include $RULE_PATH/backdoor.rules
# include $RULE_PATH/shellcode.rules
# include $RULE_PATH/policy.rules
# include $RULE_PATH/porn.rules
# include $RULE_PATH/info.rules
# include $RULE_PATH/icmp-info.rules
include $RULE_PATH/virus.rules
# include $RULE_PATH/experimental.rules
include $RULE_PATH/local.rules

Dunno man, totally stumped on this one.
Here's part of diffing confs, the only interesting differences I could see where these:

# I had to add these before using the latest rule tarballs...
+var HTTP_PORTS SOME PORTS
+var ORACLE_PORTS SOME MORE PORTS

# Absolute paths. Why? Just cuz.
+var RULE_PATH /SOME/DIR
-var RULE_PATH ./

# Ok. These shouldn't make any diff.
+preprocessor stream4: detect_scans,detect_state_problems,timeout, memcap
+preprocessor stream4_reassemble: both,ports all

-preprocessor stream4: detect_scans
-preprocessor stream4_reassemble

# Ok. These shouldn't make any diff either.
+output alert_syslog: LOG_LOCAL_NUMBER
-output alert_syslog: LOG_AUTH LOG_ALERT

# Using var
+include $RULE_PATH/classification.config
-include classification.config
# Btw, if you're using Whitehats rules you *need* to change some classifications...

Strace shows we need these:
open /etc/nsswitch.conf (r)
open /etc/ld.so.cache (r)
open /lib/libnss_files.so.2 (r)
open /lib/i686/libc.so.6 (r)
open /lib/ld-linux.so.2 (r)
open /etc/protocols (r)
open /etc/localtime (r)
open snort config (r)
open portscan logfile (rw)
open classification config (r)
open rules files (r)
(strace of snort -T ends OK)

Anyway, I don't know how any of the above could help, I mean, you're not getting any errors testing, so maybe you'd be better off using snort-users@lists.sourceforge.net ...

Soz.

Btw, snort doesn't complain about libpcap, and when it runs the interface is in promiscuous mode, right?

I found the cause of the problem and it was pretty silly but I thought I'd post it in case anyone else runs into it. Basically the machine has about 10 interfaces and was listening by default on eth 0:1 and not eth0. Not sure why it chose that default but a simple -i switch on the command line solves the problem.

Thanks for all the suggestions everyone.