From owner-freebsd-security  Fri Jul 12  4: 9:16 2002
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 4655537B400
	for <freebsd-security@freebsd.org>; Fri, 12 Jul 2002 04:09:09 -0700 (PDT)
Received: from grace.sambolian.net.nz (203-79-83-205.cable.paradise.net.nz [203.79.83.205])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 6429843E4A
	for <freebsd-security@freebsd.org>; Fri, 12 Jul 2002 04:09:08 -0700 (PDT)
	(envelope-from andy@sambolian.net.nz)
Received: by grace.sambolian.net.nz (Postfix, from userid 80)
	id ABF77FED7; Fri, 12 Jul 2002 23:10:55 +1200 (NZST)
Received: from 192.168.0.30 ( [192.168.0.30])
	as user andy@imap.sambolian.net.nz by webmail.sambolian.net.nz with HTTP;
	Fri, 12 Jul 2002 23:10:55 +1200
Message-ID: <1026472255.3d2eb93f98607@webmail.sambolian.net.nz>
Date: Fri, 12 Jul 2002 23:10:55 +1200
From: Andrew Thompson <andy@sambolian.net.nz>
To: dawnshade <h-k@mail.ru>
Cc: freebsd-security@freebsd.org
Subject: Re: Re[4]: Snort problem.
References: <60550254524.20020712090257@mail.ru> <20020712053845.GA89208@i-sphere.com> <29552793875.20020712094517@mail.ru> <1026465184.3d2e9da02c762@webmail.sambolian.net.nz> <108568184025.20020712140147@mail.ru>
In-Reply-To: <108568184025.20020712140147@mail.ru>
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 8bit
User-Agent: Internet Messaging Program (IMP) 3.0
X-Originating-IP: 192.168.0.30
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

Hi,


Try running snort in the foreground, and without syslog, I use this:

/usr/local/bin/snort -i ep1 -A fast -c /usr/local/etc/snort.conf -m 027

This is the output that I recieve, note the line on the output where it says
"885 Snort rules read..."



Log directory = /var/log/snort

Initializing Network Interface ep1
WARNING: OpenPcap() device ep1 network lookup: 
        ep1: no IPv4 address assigned

        --== Initializing Snort ==--
Decoding Ethernet on interface ep1
Initializing Preprocessors!
Initializing Plug-ins!
Initializating Output Plugins!
Parsing Rules file /usr/local/etc/snort.conf

+++++++++++++++++++++++++++++++++++++++++++++++++++
Initializing rule chains...
No arguments to frag2 directive, setting defaults to:
    Fragment timeout: 60 seconds
    Fragment memory cap: 4194304 bytes
Stream4 config:
    Stateful inspection: ACTIVE
    Session statistics: INACTIVE
    Session timeout: 30 seconds
    Session memory cap: 8388608 bytes
    State alerts: INACTIVE
    Scan alerts: ACTIVE
    Log Flushed Streams: INACTIVE
No arguments to stream4_reassemble, setting defaults:
     Reassemble client: ACTIVE
     Reassemble server: INACTIVE
     Reassemble ports: 21 23 25 53 80 143 110 111 513
     Reassembly alerts: ACTIVE
     Reassembly method: FAVOR_OLD
Back Orifice detection brute force: DISABLED
Using LOCAL time
885 Snort rules read...
885 Option Chains linked into 107 Chain Headers
0 Dynamic rules
+++++++++++++++++++++++++++++++++++++++++++++++++++

Rule application order: ->activation->dynamic->alert->pass->log

        --== Initialization Complete ==--

-*> Snort! <*-
Version 1.8.6 (Build 105)
By Martin Roesch (roesch@sourcefire.com, www.snort.org)




--Andy





Quoting dawnshade <h-k@mail.ru>:

> Hello Andrew,
> 
> Friday, July 12, 2002, 1:13:04 PM, you wrote:
> 
> AT> Have you got any snort rules loaded? it will say that it has loaded x
> number of
> AT> rules when it starts up.  I have been caught out before when it has not
> logged
> AT> anything, and it turned out that no rules were loaded.
> 
> 
> AT> --Andy
> 
> 
> AT> Quoting dawnshade <h-k@mail.ru>:
> 
> >> Hello faSty,
> >> 
> >> Friday, July 12, 2002, 9:38:45 AM, you wrote:
> >> 
> >> f> Did you check /var/log/messages because -s mean it goes directly
> syslogd
> >> send
> >> f> to /var/log/messages. Depend on what your syslogd.conf unless it is
> >> default
> >> f> syslogd.conf then check /var/log/messages.
> >> 
> >> f> My snort on bridge look like:
> >> f> /usr/local/bin/snort -A full -D -e -d -s -i fxp1 -c
> >> /usr/local/etc/snort.conf
> >> 
> >> f> -fasty
> >> 
> >> f> On Fri, Jul 12, 2002 at 09:02:57AM +0400, dawnshade wrote:
> >> >>  I have a little problem:
> >> >>  install, configure snort (1.8.6 (Build 105)).
> >> >>  Run: /usr/local/bin/snort -c /usr/local/etc/snort/snort.conf -s -A
> full
> >> -d -D -l /usr/log/snort
> >> >> 
> >> >>  But the snort does nothing: not log or alert scans, portscans,
> >> >>  etc....
> >> >>  
> >> >>  thank all for advance.
> >> >>   
> >> >> 
> >> 
> >> in syslog.conf i added these lines:
> >> 
> >> LOG_ALERT                                     /usr/log/snort.log
> >> LOG_AUTHPRIV                                  /usr/log/snort.log  
> >> 
> >> In messages only starting message snort:
> >> 
> >> Jul 12 09:44:01 mx /kernel: cp0: promiscuous mode enabled
> >> Jul 12 09:44:01 mx snort: Initializing daemon mode 
> >> Jul 12 09:44:01 mx snort: PID stat checked out ok, PID set to /var/run/ 
> >> Jul 12 09:44:01 mx snort: Writing PID file to "/var/run/" 
> >> Jul 12 09:44:01 mx snort: WARNING: command line overrides rules file
> alert
> >> plugin!
> >> Jul 12 09:44:01 mx snort: WARNING: command line overrides rules file
> alert
> >> plugin! 
> >> Jul 12 09:44:01 mx snort: limit == 128 
> >> Jul 12 09:44:01 mx snort: UnifiedLogFilename = snort.log 
> >> Jul 12 09:44:02 mx snort[21582]: Snort initialization completed
> successfully,
> >> Snort running
> >> 
> 
> 
> No, snorts "talks" only these line:
> 
> >> Jul 12 09:44:01 mx /kernel: cp0: promiscuous mode enabled
> >> Jul 12 09:44:01 mx snort: Initializing daemon mode 
> >> Jul 12 09:44:01 mx snort: PID stat checked out ok, PID set to /var/run/ 
> >> Jul 12 09:44:01 mx snort: Writing PID file to "/var/run/" 
> >> Jul 12 09:44:01 mx snort: WARNING: command line overrides rules file
> alert
> >> plugin!
> >> Jul 12 09:44:01 mx snort: WARNING: command line overrides rules file
> alert
> >> plugin! 
> >> Jul 12 09:44:01 mx snort: limit == 128 
> >> Jul 12 09:44:01 mx snort: UnifiedLogFilename = snort.log 
> >> Jul 12 09:44:02 mx snort[21582]: Snort initialization completed
> successfully,
> >> Snort running
> 
> -- 
> Best regards,
>  dawnshade                            mailto:h-k@mail.ru
> 
> 
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message
> 
> 




-------------------------------------------------
This mail sent through IMP: http://horde.org/imp/

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message