Nothing written to snort logfiles
Dear Debian firewallers,
I am not getting anything written to my log files.
I have scanned my own host from a separate Internet connection:
sleepyhollow:sinnamon$nmap -p 21,22,80,443 144.136.251.208
Starting nmap V. 3.00 ( www.insecure.org/nmap/ )
Interesting ports on CPE-144-136-251-208.nsw.bigpond.net.au (144.136.251.208):
(The 1 port scanned but not shown below is in state: closed)
Port State Service
21/tcp filtered ftp
80/tcp open http
443/tcp open https
Nmap run completed -- 1 IP address (1 host up) scanned in 5 seconds
.../but snort does not report anything. The log files are nearly empty, and
were not caused to be updated by the scan.
greenhouse:/etc/init.d# ls -lt /var/log/snort
total 24
-rw-r----- 1 root adm 24 2004-06-15 15:04
snort.log.1087275893
-rw-r----- 1 root adm 24 2004-06-15 14:52
snort.log.1087275135
-rw-r----- 1 root adm 24 2004-06-15 14:51
...
-rw-r----- 1 root adm 24 2004-06-12 23:40
snort.log.1087045143
-rw-r----- 1 snort adm 141 2004-06-12 23:36 alert
The snort process looks like:
greenhouse:/etc/init.d# ps auxwww | grep snort
snort 2030 0.9 3.6 36732 33164 ? Rs 16:57 0:00 /usr/sbin/snort \
-m 027 -D -c /etc/snort/snort.conf -l /var/log/snort -d -u snort -g snort \
-O -S HOME_NET=[192.168.0.0/24] -i eth0
My /etc/etc/snort.conf is:
var HOME_NET 192.168.0.0/24
var EXTERNAL_NET !$HOME_NET
var DNS_SERVERS $HOME_NET
var SMTP_SERVERS $HOME_NET
var HTTP_SERVERS $HOME_NET
var SQL_SERVERS $HOME_NET
var TELNET_SERVERS $HOME_NET
var SNMP_SERVERS $HOME_NET
var HTTP_PORTS 80
var SHELLCODE_PORTS !80
var ORACLE_PORTS 1521
var AIM_SERVERS [64.12.24.0/24,64.12.25.0/24,64.12.26.14/24,64.12.28.0
/24,64.12.29.0/24,64.12.161.0/24,64.12.163.0/24,205.188.5.0/24,205.188
.9.0/24]
var RULE_PATH /etc/snort/rules
preprocessor flow: stats_interval 0 hash 2
preprocessor frag2
preprocessor stream4: disable_evasion_alerts detect_scans
preprocessor stream4_reassemble
preprocessor http_inspect: global \
iis_unicode_map unicode.map 1252
preprocessor http_inspect_server: server default \
profile all ports { 80 8080 8180 } oversize_dir_length 500
preprocessor rpc_decode: 111 32771
preprocessor bo
preprocessor telnet_decode
preprocessor flow-portscan: \
talker-sliding-scale-factor 0.50 \
talker-fixed-threshold 30 \
talker-sliding-threshold 30 \
talker-sliding-window 20 \
scoreboard-rows-talker 30000 \
server-watchnet $HOME_NET \
server-ignore-limit 200 \
server-rows 65535 \
server-learning-time 14400 \
server-scanner-limit 4 \
scanner-sliding-window 20 \
scanner-sliding-scale-factor 0.50 \
scanner-fixed-threshold 15 \
scanner-sliding-threshold 40 \
scanner-fixed-window 15 \
scoreboard-rows-scanner 30000 \
src-ignore-net $HOME_NET \
dst-ignore-net [10.0.0.0/30] \
alert-mode once \
output-mode msg \
tcp-penalties on
output log_tcpdump: snort.log
include classification.config
include reference.config
include $RULE_PATH/local.rules
include $RULE_PATH/bad-traffic.rules
include $RULE_PATH/exploit.rules
include $RULE_PATH/scan.rules
include $RULE_PATH/finger.rules
include $RULE_PATH/ftp.rules
include $RULE_PATH/telnet.rules
include $RULE_PATH/rpc.rules
include $RULE_PATH/rservices.rules
include $RULE_PATH/dos.rules
include $RULE_PATH/ddos.rules
include $RULE_PATH/dns.rules
include $RULE_PATH/tftp.rules
include $RULE_PATH/web-cgi.rules
include $RULE_PATH/web-coldfusion.rules
include $RULE_PATH/web-iis.rules
include $RULE_PATH/web-frontpage.rules
include $RULE_PATH/web-misc.rules
include $RULE_PATH/web-client.rules
include $RULE_PATH/web-php.rules
include $RULE_PATH/sql.rules
include $RULE_PATH/x11.rules
include $RULE_PATH/icmp.rules
include $RULE_PATH/netbios.rules
include $RULE_PATH/misc.rules
include $RULE_PATH/attack-responses.rules
include $RULE_PATH/oracle.rules
include $RULE_PATH/mysql.rules
include $RULE_PATH/snmp.rules
include $RULE_PATH/smtp.rules
include $RULE_PATH/imap.rules
include $RULE_PATH/pop2.rules
include $RULE_PATH/pop3.rules
include $RULE_PATH/nntp.rules
include $RULE_PATH/other-ids.rules
include $RULE_PATH/experimental.rules
include threshold.conf
... and my /etc/snort.debian.conf is:
DEBIAN_SNORT_STARTUP="boot"
DEBIAN_SNORT_HOME_NET="192.168.0.0/24"
DEBIAN_SNORT_OPTIONS="-O"
DEBIAN_SNORT_INTERFACE="eth0"
DEBIAN_SNORT_STATS_RCPT="sinnamon"
DEBIAN_SNORT_STATS_TRESHOLD="1"
... and my /etc/init.d/snort includes :
#!/bin/sh -e
test $DEBIAN_SCRIPT_DEBUG && set -v -x
DAEMON=/usr/sbin/snort
NAME=snort
DESC="Network Intrusion Detection System"
CONFIG=/etc/snort/snort.debian.conf
COMMON=`cat /etc/snort/snort.common.parameters`
test -x $DAEMON || exit 0
test -f $CONFIG && . $CONFIG
test -z "$DEBIAN_SNORT_HOME_NET" && DEBIAN_SNORT_HOME_NET="192.168.0.0/16"
# to find the lib files
cd /etc/snort
case "$1" in
start)
if [ "$DEBIAN_SNORT_STARTUP" = "dialup" ]; then
shift
set +e
/etc/ppp/ip-up.d/snort "$@"
exit $?
fi
# Usually, we start all interfaces
interfaces="$DEBIAN_SNORT_INTERFACE"
# If we are requested to start a specific interface...
test "$2" && interfaces="$2"
myret=0
got_instance=0
for interface in $interfaces; do
got_instance=1
echo -n "Starting $DESC: $NAME($interface)"
PIDFILE=/var/run/snort_$interface.pid
fail="failed (check /var/log/daemon.log)"
/sbin/start-stop-daemon --stop --signal 0 --quiet \
--pidfile "$PIDFILE" --exec $DAEMON >/dev/null &&
fail="already running"
set +e
/sbin/start-stop-daemon --start --quiet --pidfile "$PIDFILE" \
--exec $DAEMON -- $COMMON $DEBIAN_SNORT_OPTIONS \
-S "HOME_NET=[$DEBIAN_SNORT_HOME_NET]" \
-i $interface
ret=$?
set -e
case "$ret" in
0)
echo "."
;;
*)
echo "...$fail."
myret=$(expr "$myret" + 1)
;;
esac
done
if [ "$got_instance" = 0 ]; then
echo "No snort instance found to be started!" >&2
exit 1
fi
exit $myret
;;
....
-------------------------------------------------------
Any suggestions?
TIA
James
--
James Sinnamon
jps at westnet com auStralia
ph +61 412 319669, +61 2 95692123, +61 2 95726357
Reply to: