Snort not logging

Dogit · 03-02-2005, 10:08 PM

Hello,To all

Well so far i have all the other tools i have downloaded
installed & running. but i can't get this snort to log anything
i am using the Snort.conf,

that came with it i was not sure if i should play
with it so if anyone can help me please
how do i get this to log something

oh i did try & run it but i got this here

ERROR: Failed to lookup for interface: no suitable device found.
please specify one with -i switch ???????????

Thank you

DDoSire · 03-02-2005, 10:23 PM

-vi command will tell snort listen to specif interface. Say, you want to sniff on eth1, type:

snort –vi eth1

This article may be helpful for you.

Dogit · 03-02-2005, 10:29 PM

Hello,DDoSire

Oh thanks i love this linux but some hard work
& yes i will have a look at that link

Thank you

DDoSire · 03-02-2005, 10:35 PM

Quote:

Originally posted by Dogit
Hello,DDoSire

Oh thanks i love this linux but some hard work
& yes i will have a look at that link

Thank you

Snort will dump error messages to /var/log/messages , you may want to look at that too.

Hope it helps.

Dogit · 03-02-2005, 10:40 PM

Hi,DDoSire

Hmmm not sure if i did something wrong here
but here is what i just got

snort -vi eth1
Running in packet dump mode
Log directory = /var/log/snort

Inetealezing Network Interface eth1
Error: OpenPcap () device eth1 open:

socket: Operation not permitted

no idea what i did

Thank you

DDoSire · 03-02-2005, 10:53 PM

I suppose you are executing snort as root.

What error message do you get if you type this?

snort -i eth1 -c /etc/snort/snort.conf

Dogit · 03-02-2005, 11:48 PM

Hi,DDoSire

Well here is what happen in place of this eth1 i used a 0
& all was good tell the end when i get this here

Error: /etc/snort/snort.conf (606) : Bad rule in rules file

Fatal Error, Quitting..

it don't sound good

by the way should i be executing snort as root?????

Thank you

DDoSire · 03-03-2005, 04:29 PM

Quote:

Originally posted by Dogit

by the way should i be executing snort as root?????

Yes you should.

Dogit · 03-03-2005, 05:41 PM

Hi,DDoSire

Great thanks

would you happen to know what that
error is all about

Thank you

DDoSire · 03-03-2005, 05:54 PM

It's line 606 in snort.conf file that caused error. Check the line and see what you have done wrong. In my snort.conf it is:

Code:

#
# Include reference systems
# Note for Windows users:  You are advised to make this an absolute path,
# such as:  c:\snort\etc\reference.config
#

include reference.config

Note that you should not change the path to absolute path if you are running linux otherwise if will append the given path to your root path, which will cause problem.

Dogit · 03-04-2005, 05:40 PM

Hi,DDoSire

Well it looks like it may be working you tell me

Running in IDS mode
Log directory = /var/log/snort

Initializing Network Interface eth0
OpenPcap() device eth0 network lookup:
eth0: no IPv4 address assigned

--== Initializing Snort ==--
Initializing Output Plugins!
Decoding Ethernet on interface eth0
Initializing Preprocessors!
Initializing Plug-ins!
Parsing Rules file /etc/snort/snort.conf

+++++++++++++++++++++++++++++++++++++++++++++++++++
Initializing rule chains...
No arguments to frag2 directive, setting defaults to:
Fragment timeout: 60 seconds
Fragment memory cap: 4194304 bytes
Fragment min_ttl: 0
Fragment ttl_limit: 5
Fragment Problems: 0
Self preservation threshold: 500
Self preservation period: 90
Suspend threshold: 1000
Suspend period: 30
Stream4 config:
Stateful inspection: ACTIVE
Session statistics: INACTIVE
Session timeout: 30 seconds
Session memory cap: 8388608 bytes
State alerts: INACTIVE
Evasion alerts: INACTIVE
Scan alerts: ACTIVE
Log Flushed Streams: INACTIVE
MinTTL: 1
TTL Limit: 5
Async Link: 0
State Protection: 0
Self preservation threshold: 50
Self preservation period: 90
Suspend threshold: 200
Suspend period: 30
Stream4_reassemble config:
Server reassembly: INACTIVE
Client reassembly: ACTIVE
Reassembler alerts: ACTIVE
Ports: 21 23 25 53 80 110 111 143 513 1433
Emergency Ports: 21 23 25 53 80 110 111 143 513 1433
http_decode arguments:
Unicode decoding
IIS alternate Unicode decoding
IIS double encoding vuln
Flip backslash to slash
Include additional whitespace separators
Ports to decode http on: 80
rpc_decode arguments:
Ports to decode RPC on: 111 32771
alert_fragments: INACTIVE
alert_large_fragments: ACTIVE
alert_incomplete: ACTIVE
alert_multiple_requests: ACTIVE
telnet_decode arguments:
Ports to decode telnet on: 21 23 25 119
1454 Snort rules read...
1454 Option Chains linked into 146 Chain Headers
0 Dynamic rules
+++++++++++++++++++++++++++++++++++++++++++++++++++

Rule application order: ->activation->dynamic->alert->pass->log

--== Initialization Complete ==--

oh by the way i don't get what you said here

Note that you should not change the path to absolute path if you are running linux otherwise if will append the given path to your root path, which will cause problem.

Thank you

DDoSire · 03-06-2005, 03:22 PM

Sorry for my bad English, since it is not my native language.

I meant

Code:

include reference.config

should not be

Code:

include /etc/snort/reference.config

Nice to know Snort is working well for you now