Home page logo
/

snort logo Snort mailing list archives

Re: Only an empty Alert file :(
From: "Dean Farwood" <dean_farwood () comcast net>
Date: Tue, 13 Mar 2012 06:30:41 -0700

Joel,

 

Thanks for your interest.

 

I followed your advice and logged the session as -K pcap. I checked the
capture on Wireshark and indeed, the word "password" is included in one of
the frames. 

 

Interestingly I had to use the command

snort -dev -l /etc/snort/log2 -K pcap

 

When I tried the command 

snort -dev -c /etc/snort/snort.conf -l /etc/snort/log2 -K pcap

nothing was logged except that darned empty alert file.

 

I wish I knew why adding the -c argument messes up logging?

 

Dean

From: Joel Esler [mailto:jesler () sourcefire com] 
Sent: Monday, March 12, 2012 5:35 AM
To: Dean Farwood
Cc: snort-sigs () lists sourceforge net
Subject: Re: [Snort-sigs] Only an empty Alert file :(

 

I suggest you capture the packet to disk.  Then you can use Snort to read
the pcap with -r.

 

You need to review the pcap to see if the word "password" really does exist
in plaintext in the stream.

 

 

I am betting it doesn't.

 

J

 

On Mar 11, 2012, at 6:40 PM, Dean Farwood wrote:





Hello,

 

I'm running Snort 2.8.5.2 (Build 121) on Ubuntu 11.10 with 3.0.0-16-generic
kernel.

 

I have written the following rule called /etc/snort/rules/password.rules:

 

alert tcp any any <> 192.168.1.110 any (content:"password"; msg:"Potential
Password Violation"; sid: 11995522;)

 

My snort command is:

snort -dev -c /etc/snort/snort.conf -l /etc/snort/log2 -K ascii

 

I then transfer a file with the word "password" in it from the Linux system
to a Windows system using Samba. The packets are captured as evidenced by
the terminal display. The Windows system successfully authenticates to Samba
and the file can be viewed on the Windows system.

 

PROBLEM: No directories are created in the /etc/snort/log2 directories. Only
an empty "Alert" file appears.

 

If I run a command like:

 

snort -dev -l /etc/snort/log2 -K ascii

 

I get normal logging directories with IP address directory names etc.

 

This command also results in nothing in /etc/snort/log2 except the empty
alert file.

snort -dev -c /etc/snort/rules/password.rules -l /etc/snort/log2 -K ascii

 

REQUEST: Any help I can get to allow proper logging when using the -c option
would be much appreciated.

 

Thanks,

 

Dean

 

 

 

 

 

 

snort -dev -c /etc/snort/snort.conf -l /etc/snort/log2 -K ascii

----------------------------------------------------------------------------
--
Virtualization & Cloud Management Using Capacity Planning
Cloud computing makes use of virtualization - but cloud computing 
also focuses on allowing computing to be delivered as a service.
http://www.accelacomm.com/jaw/sfnl/114/51521223/____________________________
___________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!

 

------------------------------------------------------------------------------
Keep Your Developer Skills Current with LearnDevNow!
The most comprehensive online learning library for Microsoft developers
is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
Metro Style Apps, more. Free future releases when you subscribe now!
http://p.sf.net/sfu/learndevnow-d2d
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]