Re: Nothing written to snort logfiles
If you read the archives of June 14-15(just 2 days agoe) you will see that
we suspect any line in the form of /^#.*\\$/ to cause bad behaviour.
These comments are getting meesed up by the cuntinue operator '\'.
What's worse is that these comment lines most likely contain valid code.
Thus the error is in a line much greater than the comment that caused the
error.
This could be something that just sliped into the latesed release. Try
running an older version and see if the problem persits, also get in touch
with the other person who had simular problems. See if there is a Debian
bug repot, if not work with the other person too open one.
--- James Sinnamon <jps@westnet.com.au> wrote:
> Dear Debian firewallers,
>
> I am not getting anything written to my log files.
>
> I have scanned my own host from a separate Internet connection:
>
> sleepyhollow:sinnamon$nmap -p 21,22,80,443 144.136.251.208
>
> Starting nmap V. 3.00 ( www.insecure.org/nmap/ )
> Interesting ports on CPE-144-136-251-208.nsw.bigpond.net.au
> (144.136.251.208):
> (The 1 port scanned but not shown below is in state: closed)
> Port State Service
> 21/tcp filtered ftp
> 80/tcp open http
> 443/tcp open https
>
> Nmap run completed -- 1 IP address (1 host up) scanned in 5 seconds
>
> ..../but snort does not report anything. The log files are nearly
> empty, and
> were not caused to be updated by the scan.
>
> greenhouse:/etc/init.d# ls -lt /var/log/snort
> total 24
> -rw-r----- 1 root adm 24 2004-06-15 15:04
> snort.log.1087275893
> -rw-r----- 1 root adm 24 2004-06-15 14:52
> snort.log.1087275135
> -rw-r----- 1 root adm 24 2004-06-15 14:51
>
> ....
>
> -rw-r----- 1 root adm 24 2004-06-12 23:40
> snort.log.1087045143
> -rw-r----- 1 snort adm 141 2004-06-12 23:36 alert
>
> The snort process looks like:
>
> greenhouse:/etc/init.d# ps auxwww | grep snort
> snort 2030 0.9 3.6 36732 33164 ? Rs 16:57 0:00
> /usr/sbin/snort \
> -m 027 -D -c /etc/snort/snort.conf -l /var/log/snort -d -u snort -g
> snort \
> -O -S HOME_NET=[192.168.0.0/24] -i eth0
>
> My /etc/etc/snort.conf is:
>
> var HOME_NET 192.168.0.0/24
> var EXTERNAL_NET !$HOME_NET
> var DNS_SERVERS $HOME_NET
> var SMTP_SERVERS $HOME_NET
> var HTTP_SERVERS $HOME_NET
> var SQL_SERVERS $HOME_NET
> var TELNET_SERVERS $HOME_NET
> var SNMP_SERVERS $HOME_NET
> var HTTP_PORTS 80
> var SHELLCODE_PORTS !80
> var ORACLE_PORTS 1521
> var AIM_SERVERS [64.12.24.0/24,64.12.25.0/24,64.12.26.14/24,64.12.28.0
> /24,64.12.29.0/24,64.12.161.0/24,64.12.163.0/24,205.188.5.0/24,205.188
> ..9.0/24]
> var RULE_PATH /etc/snort/rules
> preprocessor flow: stats_interval 0 hash 2
> preprocessor frag2
> preprocessor stream4: disable_evasion_alerts detect_scans
> preprocessor stream4_reassemble
> preprocessor http_inspect: global \
> iis_unicode_map unicode.map 1252
> preprocessor http_inspect_server: server default \
> profile all ports { 80 8080 8180 } oversize_dir_length 500
> preprocessor rpc_decode: 111 32771
> preprocessor bo
> preprocessor telnet_decode
> preprocessor flow-portscan: \
> talker-sliding-scale-factor 0.50 \
> talker-fixed-threshold 30 \
> talker-sliding-threshold 30 \
> talker-sliding-window 20 \
> scoreboard-rows-talker 30000 \
> server-watchnet $HOME_NET \
> server-ignore-limit 200 \
> server-rows 65535 \
> server-learning-time 14400 \
> server-scanner-limit 4 \
> scanner-sliding-window 20 \
> scanner-sliding-scale-factor 0.50 \
> scanner-fixed-threshold 15 \
> scanner-sliding-threshold 40 \
> scanner-fixed-window 15 \
> scoreboard-rows-scanner 30000 \
> src-ignore-net $HOME_NET \
> dst-ignore-net [10.0.0.0/30] \
> alert-mode once \
> output-mode msg \
> tcp-penalties on
> output log_tcpdump: snort.log
> include classification.config
> include reference.config
> include $RULE_PATH/local.rules
> include $RULE_PATH/bad-traffic.rules
> include $RULE_PATH/exploit.rules
> include $RULE_PATH/scan.rules
> include $RULE_PATH/finger.rules
> include $RULE_PATH/ftp.rules
> include $RULE_PATH/telnet.rules
> include $RULE_PATH/rpc.rules
> include $RULE_PATH/rservices.rules
> include $RULE_PATH/dos.rules
> include $RULE_PATH/ddos.rules
> include $RULE_PATH/dns.rules
> include $RULE_PATH/tftp.rules
> include $RULE_PATH/web-cgi.rules
> include $RULE_PATH/web-coldfusion.rules
> include $RULE_PATH/web-iis.rules
> include $RULE_PATH/web-frontpage.rules
> include $RULE_PATH/web-misc.rules
> include $RULE_PATH/web-client.rules
> include $RULE_PATH/web-php.rules
> include $RULE_PATH/sql.rules
> include $RULE_PATH/x11.rules
> include $RULE_PATH/icmp.rules
> include $RULE_PATH/netbios.rules
> include $RULE_PATH/misc.rules
> include $RULE_PATH/attack-responses.rules
> include $RULE_PATH/oracle.rules
> include $RULE_PATH/mysql.rules
> include $RULE_PATH/snmp.rules
> include $RULE_PATH/smtp.rules
> include $RULE_PATH/imap.rules
> include $RULE_PATH/pop2.rules
> include $RULE_PATH/pop3.rules
> include $RULE_PATH/nntp.rules
> include $RULE_PATH/other-ids.rules
> include $RULE_PATH/experimental.rules
> include threshold.conf
>
>
> .... and my /etc/snort.debian.conf is:
>
>
> DEBIAN_SNORT_STARTUP="boot"
> DEBIAN_SNORT_HOME_NET="192.168.0.0/24"
> DEBIAN_SNORT_OPTIONS="-O"
> DEBIAN_SNORT_INTERFACE="eth0"
> DEBIAN_SNORT_STATS_RCPT="sinnamon"
> DEBIAN_SNORT_STATS_TRESHOLD="1"
>
>
> .... and my /etc/init.d/snort includes :
>
> #!/bin/sh -e
>
> test $DEBIAN_SCRIPT_DEBUG && set -v -x
>
> DAEMON=/usr/sbin/snort
> NAME=snort
> DESC="Network Intrusion Detection System"
>
> CONFIG=/etc/snort/snort.debian.conf
> COMMON=`cat /etc/snort/snort.common.parameters`
>
> test -x $DAEMON || exit 0
> test -f $CONFIG && . $CONFIG
> test -z "$DEBIAN_SNORT_HOME_NET" &&
> DEBIAN_SNORT_HOME_NET="192.168.0.0/16"
>
> # to find the lib files
> cd /etc/snort
>
> case "$1" in
> start)
> if [ "$DEBIAN_SNORT_STARTUP" = "dialup" ]; then
> shift
> set +e
> /etc/ppp/ip-up.d/snort "$@"
> exit $?
> fi
>
> # Usually, we start all interfaces
> interfaces="$DEBIAN_SNORT_INTERFACE"
>
> # If we are requested to start a specific interface...
> test "$2" && interfaces="$2"
>
> myret=0
> got_instance=0
> for interface in $interfaces; do
> got_instance=1
> echo -n "Starting $DESC: $NAME($interface)"
>
> PIDFILE=/var/run/snort_$interface.pid
>
> fail="failed (check /var/log/daemon.log)"
> /sbin/start-stop-daemon --stop --signal 0 --quiet \
> --pidfile "$PIDFILE" --exec $DAEMON >/dev/null
> &&
> fail="already running"
>
> set +e
> /sbin/start-stop-daemon --start --quiet --pidfile
> "$PIDFILE" \
> --exec $DAEMON -- $COMMON $DEBIAN_SNORT_OPTIONS
> \
> -S "HOME_NET=[$DEBIAN_SNORT_HOME_NET]" \
> -i $interface
> ret=$?
> set -e
> case "$ret" in
> 0)
> echo "."
> ;;
> *)
> echo "...$fail."
> myret=$(expr "$myret" + 1)
> ;;
> esac
> done
>
> if [ "$got_instance" = 0 ]; then
> echo "No snort instance found to be started!" >&2
> exit 1
> fi
>
> exit $myret
> ;;
>
> .....
>
> -------------------------------------------------------
>
> Any suggestions?
>
> TIA
>
> James
>
> --
> James Sinnamon
> jps at westnet com auStralia
> ph +61 412 319669, +61 2 95692123, +61 2 95726357
>
>
> --
> To UNSUBSCRIBE, email to debian-firewall-REQUEST@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact
> listmaster@lists.debian.org
>
>
__________________________________
Do you Yahoo!?
Yahoo! Mail - Helps protect you from nasty viruses.
http://promotions.yahoo.com/new_mail
Reply to: