RE: Unable to receive alerts

["Sadanapalli, Pradeep Kumar (MED, TCS)" <Pradeep.Sadanapalli () med ge com>]

Thanks Joe.
But still, when I am running the snortd script, 
my network interface remains in promiscous mode and I am losing network
connection.

Why my network connection is getting disabled when I run the snortd
script?
Am I doing something wrong?

Thanks in advance for all your help
Pradeep


-----Original Message-----
From: Joe Giles [mailto:jgiles () joeman1 com]
Sent: Friday, February 28, 2003 2:16 PM
To: Sadanapalli, Pradeep Kumar (MED, TCS)
Cc: 'snort-users () lists sourceforge net'
Subject: Re: [Snort-users] Unable to receive alerts


Well, I'm certainly not an expert on SNORT, although I use it on my
network. One thing I noticed about your config file was that you are not
defining any report output to anything. All the output options are
commented out with the #.

Verify this and if need be fix it. 

Or, recommend a good optometrist to me :-D

Joe

On Fri, 2003-02-28 at 12:43, Sadanapalli, Pradeep Kumar (MED, TCS)
wrote:
> Hi Friends,
> I am a snort newbie. I am running redhat linux 8.0 on my dell latitude
> C610.
> I want to run Snort as an IDS and would like to be alerted about the
> network traffic on my network interface.
>
> I am using a Lucent Wireless Network Card.
>
> I installed snort-1.9.0 as below.
>
> cp snort-1.9.0.tar.gz /home/pradeep/
> cp libcap-0.7.1.tar.gz /home/pradeep
>
> cd /home/pradeep
>
> tar -xzf libpcap-0.7.1.tar.gz 
> cd libpcap-0.7.1
> ./configure
> make 
> make install
>
> cd ..
>
> tar -xzf snort-1.9.0.tar.gz
> cd snort-1.9.0
> ./configure
> make
> make install
>
> mkdir /etc/snort
> cp etc/snort.conf /etc/snort/snort.conf
> mkdir /var/log/snort
> mkdir /IDS
> cp -ax rules /IDS/rules
>
> I am pasting below my snort.conf and snortd script for reference.
>
> /etc/rc.d/init.d/snortd start
>
> When I execute "dmesg |tail -1"
> it says "device eth1 entered promiscous mode"
>
> I am losing network connection i.e I am even unable to ping to any
other
> computer in the network.
> So I am not receiving any alerts . /var/log/snort/alert is always
> remaining empty.
>
> Please someone help what is going wrong?
> Thanks in advance for all your help..
>
>
> Pradeep
>
>
> ****************SNORTD******************
>
> #!/bin/sh
> #
> # snortd         Start/Stop the snort IDS daemon.
> #
> # chkconfig: 2345 40 60
> # description:  snort is a lightweight network intrusion detection
tool
> \
> #             that currently detects more than 1100 host and network \
> #             vulnerabilities, portscans, backdoors, and more.
> # processname: snort
> # config: /etc/snort/snort.conf
>
> # Source function library.
> . /etc/rc.d/init.d/functions
>
> # Specify your network interface here
> INTERFACE=eth1
> LOGDIR=/var/log/snort/
> CONFIGFILE=/etc/snort/snort.conf
> SNORTBINARY=/usr/local/bin/snort
>
> RETVAL=0
>
> start() {
>       echo -n $"Starting snort: "
>       daemon $SNORTBINARY -A fast -b -l /var/log/snort -d -D -i
> $INTERFACE -c $CONFIGFILE
>       RETVAL=$?
>       [ $RETVAL -eq 0 ] && touch /var/lock/subsys/snortd
>       echo
>         echo -n $"(log to " $LOGDIR " with configfile " $CONFIGFILE
")"
>         echo 
> }
>
> stop() {
>       echo -n $"Stopping snort: "
>       killproc snort
>       RETVAL=$?
>       rm -f /var/lock/subsys/snortd
>       echo
> }
>
> dostatus() {
>       status snort
>       RETVAL=$?
> }
>
> restart() {
>       stop
>       start
>       RETVAL=$?
> }
>
> condrestart() {
>       [ -e /var/lock/subsys/snortd ] && restart || :
> }
>
> # See how we were called.
> case "$1" in
>   start)
>       start
>       ;;
>   stop)
>       stop
>       ;;
>   status)
>       dostatus
>       ;;
>   restart|reload)
>       restart
>       ;;
>   condrestart)
>       condrestart
>       ;;
>   *)
>       echo "Usage: snortd {start|stop|status|restart|condrestart}"
>       exit 1
> esac
>
> exit $RETVAL
>
> ****************SNORTD******************
>
>
>
> ****************SNORTD.CONF******************
>
> #--------------------------------------------------
> #   http://www.snort.org     Snort 1.8.6 Ruleset
> #     Contact: snort-sigs () lists sourceforge net
> #--------------------------------------------------
> # NOTE:This ruleset only works for 1.8.0 and later
> #--------------------------------------------------
> # $Id: snort.conf,v 1.77.2.19 2002/06/29 13:32:48 chrisgreen Exp $
> #
> ###################################################
> # This file contains a sample snort configuration. 
> # You can take the following steps to create your 
> # own custom configuration:
> #
> #  1) Set the network variables for your network
> #  2) Configure preprocessors
> #  3) Configure output plugins
> #  4) Customize your rule set
> #
> ###################################################
> # Step #1: Set the network variables:
> #
>
>
> var HOME_NET x.0.0.0/24
> var EXTERNAL_NET any
> #var EXTERNAL_NET $eth0_ADDRESS
>
> var SMTP $HOME_NET
> var SMTP_SERVERS $HOME_NET
> var HTTP_SERVERS $HOME_NET
> var SQL_SERVERS $HOME_NET
> var DNS_SERVERS x.x.x.x, x.x.x.x
> var TELNET_SERVERS $HOME_NET
> var AIM_SERVERS $HOME_NET
>
> var RULE_PATH /IDS/rules
>
> var SHELLCODE_PORTS !80
> var HTTP_PORTS 80
> var ORACLE_PORTS 1521
>
>
> ###################################################
> # Step #2: Configure preprocessors
> #
> # General configuration for preprocessors is of 
> # the form
> # preprocessor <name_of_processor>: <configuration_options>
>
> # frag2: IP defragmentation support
> # -------------------------------
> # This preprocessor performs IP defragmentation.  This plugin will
also
> detect
> # people launching fragmentation attacks (usually DoS) against hosts.
> No
> # arguments loads the default configuration of the preprocessor, which
> is a 
> # 60 second timeout and a 4MB fragment buffer. 
>
> # The following (comma delimited) options are available for frag2
> #    timeout [seconds] - sets the number of [seconds] than an
unfinished
> #                        fragment will be kept around waiting for
> completion,
> #                        if this time expires the fragment will be
> flushed
> #    memcap [bytes] - limit frag2 memory usage to [number] bytes
> #                      (default:  4194304)
>
> preprocessor frag2
>
> # stream4: stateful inspection/stream reassembly for Snort
#----------------------------------------------------------------------
> # Use in concert with the -z [all|est] command line switch to defeat 
> # stick/snot against TCP rules.  Also performs full TCP stream 
> # reassembly, stateful inspection of TCP streams, etc.  Can statefully
> # detect various portscan types, fingerprinting, ECN, etc.
>
> # stateful inspection directive
> # no arguments loads the defaults (timeout 30, memcap 8388608)
> # options (options are comma delimited):
> #   detect_scans - stream4 will detect stealth portscans and generate
> alerts
> #                  when it sees them when this option is set
> #   detect_state_problems - detect TCP state problems, this tends to
be
> very
> #                           noisy because there are a lot of crappy ip
> stack
> #                           implementations out there
> #
> #   disable_evasion_alerts - disable fragroute alerting.  Useful for
> #                             machines with odd retransmission
patterns
> #
> #   keepstats [machine|binary] - keep session statistics, add
"machine"
> to 
> #                         get them in a flat format for machine
reading,
> add
> #                         "binary" to get them in a unified binary
> output 
> #                         format
> #   noinspect - turn off stateful inspection only
> #   timeout [number] - set the session timeout counter to [number]
> seconds,
> #                      default is 30 seconds
> #   memcap [number] - limit stream4 memory usage to [number] bytes
> #   log_flushed_streams - if an event is detected on a stream this
> option will
> #                         cause all packets that are stored in the
> stream4
> #                         packet buffers to be flushed to disk.  This
> only 
> #                         works when logging in pcap mode!
> #
> #   
>
> preprocessor stream4: detect_scans, disable_evasion_alerts
>
> # tcp stream reassembly directive
> # no arguments loads the default configuration 
> #   Only reassemble the client,
> #   Only reassemble the default list of ports (See below),  
> #   Give alerts for "bad" streams
> #
> # Available options (comma delimited):
> #   clientonly - reassemble traffic for the client side of a
connection
> only
> #   serveronly - reassemble traffic for the server side of a
connection
> only
> #   both - reassemble both sides of a session
> #   noalerts - turn off alerts from the stream reassembly stage of
> stream4
> #   ports [list] - use the space separated list of ports in [list],
> "all" 
> #                  will turn on reassembly for all ports, "default"
will
> turn
> #                  on reassembly for ports 21, 23, 25, 53, 80, 143,
110,
> 111
> #                  and 513
>
> preprocessor stream4_reassemble
>
> # http_decode: normalize HTTP requests
> # ------------------------------------
> # http_decode normalizes HTTP requests from remote 
> # machines by converting any %XX character 
> # substitutions to their ASCII equivalent. This is
> # very useful for doing things like defeating hostile
> # attackers trying to stealth themselves from IDSs by
> # mixing these substitutions in with the request. 
> # Specify the port numbers you want it to analyze as arguments.
> # You may also specify -unicode to turn off detection of 
> # UNICODE directory traversal, etc attacks.  Use -cginull to
> # turn off detection of CGI NULL code attacks.
>
> preprocessor http_decode: 80
>
> # rpc_decode: normalize RPC traffic
> # ---------------------------------
> # RPC may be sent in alternate encodings besides the usual
> # 4-byte encoding that is used by default.  This preprocessor
> # normalized RPC traffic in much the same way as the http_decode
> # preprocessor.  This plugin takes the ports numbers that RPC 
> # services are running on as arguments.
>
> preprocessor rpc_decode: 111 32771
>
> # bo: Back Orifice detector
> # -------------------------
> # Detects Back Orifice traffic on the network.  This preprocessor
> # uses the Back Orifice "encryption" algorithm to search for 
> # traffic conforming to the Back Orifice protocol (not BO2K).
> # This preprocessor can take two arguments.  The first is "-nobrute"
> # which turns off the plugin's brute forcing routine (brute forces 
> # the key space of the protocol to find BO traffic).  The second
> # argument that can be passed to the routine is a number to use
> # as the default key when trying to decrypt the traffic.  The 
> # default value is 31337 (just like BO).  Be aware that turning on
> # the brute forcing option runs the risk of impacting the overall
> # performance of Snort, you've been warned...
>
> preprocessor bo
>
> # telnet_decode: Telnet negotiation string normalizer
> # ---------------------------------------------------
> # This preprocessor "normalizes" telnet negotiation strings from
> # telnet and ftp traffic.  It works in much the same way as the 
> # http_decode preprocessor, searching for traffic that breaks up
> # the normal data stream of a protocol and replacing it with 
> # a normalized representation of that traffic so that the "content"
> # pattern matching keyword can work without requiring modifications.
> # This preprocessor requires no arguments.
>
> preprocessor telnet_decode
>
> # portscan: detect a variety of portscans
> # ---------------------------------------
> # portscan preprocessor by Patrick Mullen <p_mullen () linuxrc net>
> # This preprocessor detects UDP packets or TCP SYN packets going to
> # four different ports in less than three seconds. "Stealth" TCP
> # packets are always detected, regardless of these settings.
>
>
> preprocessor portscan: $HOME_NET 4 3 portscan.log
> preprocessor portscan: $EXTERNAL_NET 4 3 portscan.log
>
> # Use portscan-ignorehosts to ignore TCP SYN and UDP "scans" from
> # specific networks or hosts to reduce false alerts. It is typical
> # to see many false alerts from DNS servers so you may want to
> # add your DNS servers here. You can all multiple hosts/networks
> # in a whitespace-delimited list.
> #
>
> # preprocessor portscan-ignorehosts: 0.0.0.0 $DNS_SERVERS 
>
> # Spade: the Statistical Packet Anomaly Detection Engine
> #-------------------------------------------------------
> # READ the README.Spade file before using this plugin!
> #
> # preprocessor spade: <anom-report-thresh> <state-file>
> # <log-file> <prob-mode> <checkpoint-freq>  [-corrscore]
> #
> # set this to a directory Spade can read and write to
> # store its files
> #
> # var SPADEDIR .
> #
> # preprocessor spade: -1 $SPADEDIR/spade.rcv $SPADEDIR/log.txt 3 50000
> #
> # put a list of the networks you are interested in Spade observing
> packets
> # going to here; separate these by spaces
> #
> # preprocessor spade-homenet: 0.0.0.0/0
> #
> # this causes Spade to adjust the reporting threshold automatically
> # the first argument is the target rate of alerts for normal
> circumstances
> # (0.01 = 1% or you can give it an hourly rate) after the first hour
(or
> # however long the period is set to in the second argument), the
> reporting
> # threshold given above is ignored you can comment this out to have
the
> # threshold be static, or try one of the other adapt methods below
> # preprocessor spade-adapt3: 0.01 60 168
> #
> # other possible Spade config lines:
> # adapt method #1
> #preprocessor spade-adapt: 20 2 0.5
> # adapt method #2
> #preprocessor spade-adapt2: 0.01 15 4 24 7
> # offline threshold learning
> #preprocessor spade-threshlearn: 200 24
> # periodically report on the anom scores and count of packets seen
> #preprocessor spade-survey:  $SPADEDIR/survey.txt 60
> # print out known stats about packet feature
> #preprocessor spade-stats: entropy uncondprob condprob
>
> # arpspoof
> #----------------------------------------
> # Experimental ARP detection code from Jeff Nathan, detects ARP
attacks,
> # unicast ARP requests, and specific ARP mapping monitoring.  To make
> use
> # of this preprocessor you must specify the IP and hardware address of
> hosts on # the same layer 2 segment as you.  Specify one host IP MAC
> combo per line.
> # Also takes a "-unicast" option to turn on unicast ARP request
> detection. 
>
> #preprocessor arpspoof
> #preprocessor arpspoof_detect_host: 192.168.40.1 f0:0f:00:f0:0f:00
>
>
> ####################################################################
> # Step #3: Configure output plugins
> #
> # Uncomment and configure the output plugins you decide to use.
> # General configuration for output plugins is of the form:
> #
> # output <name_of_plugin>: <configuration_options>
> #
> # alert_syslog: log alerts to syslog
> # ----------------------------------
> # Use one or more syslog facilities as arguments
> #
>
> # output alert_syslog: LOG_AUTH LOG_ALERT
>
> # log_tcpdump: log packets in binary tcpdump format
> # -------------------------------------------------
> # The only argument is the output file name.
> #
> # output log_tcpdump: snort.log
>
> # database: log to a variety of databases
> # ---------------------------------------
> # See the README.database file for more information about configuring
> # and using this plugin.
> #
> # output database: log, mysql, user=root password=test dbname=db
> host=localhost
> # output database: alert, postgresql, user=snort dbname=snort
> # output database: log, unixodbc, user=snort dbname=snort
> # output database: log, mssql, dbname=snort user=snort password=test
>
> # xml: xml logging
> # ----------------
> # See the README.xml file for more information about configuring
> # and using this plugin.
> #
> # output xml: log, file=/var/log/snortxml
>
> # unified: Snort unified binary format alerting and logging
> # -------------------------------------------------------------
> # The unified output plugin provides two new formats for logging
> # and generating alerts from Snort, the "unified" format.  The
> # unified format is a straight binary format for logging data 
> # out of Snort that is designed to be fast and efficient.  Used
> # with barnyard (the new alert/log processor), most of the overhead
> # for logging and alerting to various slow storage mechanisms
> # such as databases or the network can now be avoided.  
> #
> # Check out the spo_unified.h file for the data formats.
> #
> # Two arguments are supported.
> #    filename - base filename to write to (current time_t is appended)
> #    limit    - maximum size of spool file in MB (default: 128)
> #
> # output alert_unified: filename snort.alert, limit 128
> # output log_unified: filename snort.log, limit 128
>
>
> # trap_snmp: SNMP alerting for Snort
> # -------------------------------------------------------------
> # Read the README-SNMP file for more information on enabling and using
> this
> # plug-in.
> #
> #
> # The SnmpTrapGenerator outputplugin requires several parameters
> # The parameters depend on the Snmpversion that is used (specified)
> # For the SNMPv2c case the paremeters will be as follows
> #  alert, <sensorID>, {trap|inform} -v <SnmpVersion> -p <portNumber>
> #         <hostName> <community>
> #
> # For SNMPv2c traps 
> #
> #output trap_snmp: alert, 7, trap -v 2c -p 162  myTrapListener
> myCommunity
> #
> # For SNMPv2c informs 
> #
> #output trap_snmp: alert, 7, inform -v 2c -p 162  myTrapListener
> myCommunity
> #
> # For SNMPv3 traps with 
> # security name = snortUser 
> # security level = authentication and privacy
> # authentication parameters :
> #           authentication protocol = SHA , 
> #           authentication pass phrase = SnortAuthPassword
> # privacy (encryption) parameters 
> #           privacy protocol = DES, 
> #           privacy pass phrase = SnortPrivPassword
> #
> #output trap_snmp: alert, 7, trap -v 3 -p 162 -u snortUser -l authPriv
> -a SHA -A SnortAuthPassword -x DES -X SnortPrivPassword myTrapListener
> #For SNMPv3 informs with authentication and encryption
> #output trap_snmp: alert, 7, inform -v 3 -p 162 -u snortUser -l
authPriv
> -a SHA -A SnortAuthPassword -x DES -X SnortPrivPassword myTrapListener
>
> # You can optionally define new rule types and associate one or 
> # more output plugins specifically to that type.
> #
> # This example will create a type that will log to just tcpdump.
> # ruletype suspicious
> # {
> #   type log
> #   output log_tcpdump: suspicious.log
> # }
> #
> # EXAMPLE RULE FOR SUSPICIOUS RULETYPE:
> # suspicious $HOME_NET any -> $HOME_NET 6667 (msg:"Internal IRC
> Server";)
> #
> # This example will create a rule type that will log to syslog
> # and a mysql database.
> # ruletype redalert
> # {
> #   type alert
> #   output alert_syslog: LOG_AUTH LOG_ALERT
> #   output database: log, mysql, user=snort dbname=snort
host=localhost
> # }
> #
> # EXAMPLE RULE FOR REDALERT RULETYPE
> # redalert $HOME_NET any -> $EXTERNAL_NET 31337 (msg:"Someone is being
> LEET"; \
> #   flags:A+;)
>
> #
> # Include classification & priority settings
> #
>
> include classification.config
>
>
> ####################################################################
> # Step #4: Customize your rule set
> #
> # Up to date snort rules are available at http://www.snort.org
> #
> # The snort web site has documentation about how to write your own 
> # custom snort rules.
> #
> # The rules included with this distribution generate alerts based on
> # on suspicious activity. Depending on your network environment, your
> # security policies, and what you consider to be suspicious, some of
> # these rules may either generate false positives ore may be detecting
> # activity you consider to be acceptable; therefore, you are
> # encouraged to comment out rules that are not applicable in your
> # environment.
> #
> # Note that using all of the rules at the same time may lead to
> # serious packet loss on slower machines. YMMV, use with caution,
> # standard disclaimers apply. :)
> #
> # The following individuals contributed many of rules in this
> # distribution.
> #
> # Credits:
> #   Ron Gula <rgula () securitywizards com> of Network Security Wizards
> #   Max Vision <vision () whitehats com>
> #   Martin Markgraf <martin () mail du gtn com>
> #   Fyodor Yarochkin <fygrave () tigerteam net>
> #   Nick Rogness <nick () rapidnet com>
> #   Jim Forster <jforster () rapidnet com>
> #   Scott McIntyre <scott () whoi edu>
> #   Tom Vandepoel <Tom.Vandepoel () ubizen com>
> #   Brian Caswell <bmc () snort org>
> #   Zeno <admin () cgisecurity com>
> #   Ryan Russell <ryan () securityfocus com>
> # 
> #=========================================
> # Include all relevant rulesets here 
> # 
> # shellcode, policy, info, backdoor, and virus rulesets are 
> # disabled by default.  These require tuning and maintance.  
> # Please read the included specific file for more information.
> #=========================================
>
> include $RULE_PATH/bad-traffic.rules
> include $RULE_PATH/exploit.rules
> include $RULE_PATH/scan.rules
> include $RULE_PATH/finger.rules
> include $RULE_PATH/ftp.rules
> include $RULE_PATH/telnet.rules
> include $RULE_PATH/smtp.rules
> include $RULE_PATH/rpc.rules
> include $RULE_PATH/rservices.rules
> include $RULE_PATH/dos.rules
> include $RULE_PATH/ddos.rules
> include $RULE_PATH/dns.rules
> include $RULE_PATH/tftp.rules
> include $RULE_PATH/web-cgi.rules
> include $RULE_PATH/web-coldfusion.rules
> include $RULE_PATH/web-iis.rules
> include $RULE_PATH/web-frontpage.rules
> include $RULE_PATH/web-misc.rules
> include $RULE_PATH/web-attacks.rules
> include $RULE_PATH/sql.rules
> include $RULE_PATH/x11.rules
> include $RULE_PATH/icmp.rules
> include $RULE_PATH/netbios.rules
> include $RULE_PATH/misc.rules
> include $RULE_PATH/attack-responses.rules
> include $RULE_PATH/backdoor.rules
> # include $RULE_PATH/shellcode.rules
> # include $RULE_PATH/policy.rules
> # include $RULE_PATH/porn.rules
> # include $RULE_PATH/info.rules
> # include $RULE_PATH/icmp-info.rules
> # include $RULE_PATH/virus.rules
>
>
> include local.rules
>
> ****************SNORTD.CONF******************
>
>
> -------------------------------------------------------
> This sf.net email is sponsored by:ThinkGeek
> Welcome to geek heaven.
> http://thinkgeek.com/sf
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users


-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users