Re: log files empty

[wkitty42 () windstream net]

On 03/13/2016 04:39 PM, Mark Cole wrote:
> I have installed snort on ElementaryOS in a VM on a Mac (with Parallels). I have
> configured snort to use alert logging and packet logging via snort.conf. I have
> a very simple rule setup that alerts if any outgoing facebook connection. When I
> go to facebook I see the activity on the Snort console but nothing gets written
> to the logs. I think I have read every web page that I can find through Google
> on “snort log empty” or “snort log zero”. I have tried all of the
> recommendations that I can find. I can see the logrotate works because it
> creates a new snort.log.xxxxxxx every time I run snort - but they are always
> empty too.  Help!
>
> This is what my rule looks like:
> alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"Facebook Web Request";
> sid:9999; content:"facebook";flow:to_server,established;)

that rule won't do what you actually intend it to do... it will/should, in fact, 
alert on any occurrence of your content on any traffic originating on your 
network and flowing to any server on port 80 outside your local network... it 
does not signify that a request to any facebook domain has been established... 
for example, reading this message on a html accessed webmail account and 
replying to it will trigger your rule...

> My snort.conf has these relevant entries:
> config logdir: /var/log/snort
> output alert_unified2: filename snort.alert, limit 128, nostamp
> output log_unified2: filename snort.log, limit 128, nostamp
>
> ##I have tried taking nostamp out based on one article I read with no change

you have not given us your command line or other necessary information...

https://www.snort.org/faq/how-do-i-ask-a-good-question-on-the-snort-list

-- 
  NOTE: No off-list assistance is given without prior approval.
        *Please keep mailing list traffic on the list* unless
        private contact is specifically requested and granted.

------------------------------------------------------------------------------
Transform Data into Opportunity.
Accelerate data analysis in your applications with
Intel Data Analytics Acceleration Library.
Click to learn more.
http://pubads.g.doubleclick.net/gampad/clk?id=278785111&iu=/4140
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!