Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Snort won't generate alerts with single snort.rules file

From: Anacleto Junior <suporte.anacleto () gmail com>
Date: Thu, 6 Mar 2014 11:23:28 -0300
2014-02-28 16:22 GMT-03:00 SnortFan <SnortFan () yahoo com>:


Can you try:

tcpdump -i eth1

To see if your getting traffic on that interface.



I'm getting traffic on that interface..
11:10:12.293579 IP xxx.xxx.xxx.xxx.xxxx > xxx.xxx.xxx.xxx.xxx: Flags [.],
ack 15841, win 16384, options [nop,nop,TS val 4252367761 ecr 3835930989],
length 0
[...]




Also in your /etc/snort/rules/

grep -v '#' snort.rules | grep -v '^$' | wc -l

And see if that's close to the number if rules reported in:

cat /var/log/message | snort

When you restart snort.

Cheers,
Ed

Sent from a mobile device.




Hmm...

When I run snort, I get this:
 4559 Snort rules read

But with the command you suggested:

grep -v '#' /etc/snort/rules/snort.rules | grep -v '^$' | wc -l
4479

So the rules aren't loaded when I run snort? How can I proceed?


2014-02-28 16:22 GMT-03:00 SnortFan <SnortFan () yahoo com>:


Can you try:

tcpdump -i eth1

To see if your getting traffic on that interface.

Also in your /etc/snort/rules/

grep -v '#' snort.rules | grep -v '^$' | wc -l

And see if that's close to the number if rules reported in:

cat /var/log/message | snort

When you restart snort.

Cheers,
Ed

Sent from a mobile device.

On Feb 28, 2014, at 12:19 PM, Anacleto Junior <suporte.anacleto () gmail com>
wrote:

Hi everyone,

Sorry for the poor english but I will try my best. I will describe my
problems after upgrading Snort rules.

Debian Linux 6.0.8 (kernel 2.6.32-5 x86_64)
Snort version: Version 2.9.6.0 GRE (Build 47)
Snort rules version: 2.9.6.0
pulledpork 0.7.0
barnyard2 2.1.13 build 327

I was using Snort v.2.9.5.6 with snortrules-snapshot-2956 for a good time.
I have upgraded to the latest version available and some issues occurred.
If this is not the right place for asking, sorry for this. I will
appreciate if someone can point me the right place to ask.

When I run snort with this command:

/usr/local/bin/snort -A console -u snort -g snort -c
/etc/snort/eth1/snort_eth1.conf -i eth1

I can't get alerts and none events are registered. This is the output
after I finish him (ctrl+c):

I got some errors like:
WARNING: /etc/snort/rules/snort.rules(15678) GID 1 SID 24017 in rule
duplicates previous rule. Ignoring old rule.

But it moves on...

4539 Snort rules read (so I assume it is reading the
    4208 detection rules
    0 decoder rules
    4 preprocessor rules
4212 Option Chains linked into 185 Chain Headers
0 Dynamic rules


Snort ran for 0 days 0 hours 3 minutes 10 seconds
   Pkts/min:        39481
   Pkts/sec:          623

Packet I/O Totals:
   Received:       118443
   Analyzed:       118443 (100.000%)
    Dropped:            0 (  0.000%)
   Filtered:            0 (  0.000%)
Outstanding:            0 (  0.000%)
   Injected:            0

Breakdown by protocol (includes rebuilt packets):
        Eth:       118567 (100.000%)
       VLAN:            0 (  0.000%)
        IP4:       118567 (100.000%)
       Frag:            0 (  0.000%)
       ICMP:          411 (  0.347%)
        UDP:         4682 (  3.949%)
        TCP:       111664 ( 94.178%)

Here's the problem, this is the info that got me concerned:

===============================================================================



*Action Stats:     Alerts:            0 (  0.000%)     Logged:
0 (  0.000%)     Passed:            0 (  0.000%)*
Limits:
      Match:            0
      Queue:            0
        Log:            0
      Event:            0
      Alert:            0
Verdicts:
      Allow:        82225 ( 69.422%)
      Block:            0 (  0.000%)
    Replace:            0 (  0.000%)
  Whitelist:        36218 ( 30.578%)
  Blacklist:            0 (  0.000%)
     Ignore:            0 (  0.000%)


All of this traffic was not even registered. I think that I was supposed
to get some alerts because of having a single file with all rules
(pulledpork rule management). Isn't suppose to activate all rules by
default?

This is my snort.conf file:
http://pastebin.com/YWABcKsF


Thanks in advance.


--
Anacleto Júnior
Analista de TI e Redes
Linux User: #447388


------------------------------------------------------------------------------
Flow-based real-time traffic analytics software. Cisco certified tool.
Monitor traffic, SLAs, QoS, Medianet, WAAS etc. with NetFlow Analyzer
Customize your own dashboards, set traffic alerts and generate reports.
Network behavioral analysis & security monitoring. All-in-one tool.

http://pubads.g.doubleclick.net/gampad/clk?id=126839071&iu=/4140/ostg.clktrk

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest
Snort news!





-- 
Anacleto Júnior
Analista de TI e Redes
Linux User: #447388

------------------------------------------------------------------------------
Subversion Kills Productivity. Get off Subversion & Make the Move to Perforce.
With Perforce, you get hassle-free workflows. Merge that actually works. 
Faster operations. Version large binaries.  Built-in WAN optimization and the
freedom to use Git, Perforce or both. Make the move to Perforce.
http://pubads.g.doubleclick.net/gampad/clk?id=122218951&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: