What are your alert settings in your snort.conf file? Also I would recommend running tail -f <path to snort alert file>
when running snort, so you can see those alerts as they happen.
SNORT not alerting to console
Question
I'm trying to test snort 2.9.4 on CentOS 6.4 but cannot see any alerts on the console. I run it with the following command:
snort -i eth2 -c /etc/snort/snort.conf
eth2 is the interface connected to a span port. If I do a tcpdump on the interface I get lots and lots of data.
I have the following rules in local.rules:
alert icmp any any -> any any (msg: "ICMP Testing Rule"; sid:1000001; rev:1;)
alert tcp any any -> any 80 (msg: "TCP Testing Rule"; sid:1000002; rev:1;)
alert udp any any -> any any (msg: "UDP Testing Rule"; sid:1000003; rev:1;)
When I hit "control c" I get the following stats:
===============================================================================
Run time for packet processing was 817.54341 seconds
Snort processed 17555 packets.
Snort ran for 0 days 0 hours 13 minutes 37 seconds
Pkts/min: 1350
Pkts/sec: 21
===============================================================================
Packet I/O Totals:
Received: 17610
Analyzed: 17555 ( 99.688%)
Dropped: 55 ( 0.311%)
Filtered: 0 ( 0.000%)
Outstanding: 55 ( 0.312%)
Injected: 0
===============================================================================
Breakdown by protocol (includes rebuilt packets):
Eth: 17599 (100.000%)
VLAN: 0 ( 0.000%)
IP4: 17175 ( 97.591%)
Frag: 0 ( 0.000%)
ICMP: 16 ( 0.091%)
UDP: 794 ( 4.512%)
TCP: 16365 ( 92.988%)
IP6: 12 ( 0.068%)
IP6 Ext: 12 ( 0.068%)
IP6 Opts: 0 ( 0.000%)
Frag6: 0 ( 0.000%)
ICMP6: 12 ( 0.068%)
UDP6: 0 ( 0.000%)
TCP6: 0 ( 0.000%)
Teredo: 12 ( 0.068%)
ICMP-IP: 0 ( 0.000%)
EAPOL: 0 ( 0.000%)
IP4/IP4: 0 ( 0.000%)
IP4/IP6: 0 ( 0.000%)
IP6/IP4: 0 ( 0.000%)
IP6/IP6: 0 ( 0.000%)
GRE: 0 ( 0.000%)
GRE Eth: 0 ( 0.000%)
GRE VLAN: 0 ( 0.000%)
GRE IP4: 0 ( 0.000%)
GRE IP6: 0 ( 0.000%)
GRE IP6 Ext: 0 ( 0.000%)
GRE PPTP: 0 ( 0.000%)
GRE ARP: 0 ( 0.000%)
GRE IPX: 0 ( 0.000%)
GRE Loop: 0 ( 0.000%)
MPLS: 0 ( 0.000%)
ARP: 3 ( 0.017%)
IPX: 0 ( 0.000%)
Eth Loop: 0 ( 0.000%)
Eth Disc: 0 ( 0.000%)
IP4 Disc: 0 ( 0.000%)
IP6 Disc: 0 ( 0.000%)
TCP Disc: 0 ( 0.000%)
UDP Disc: 0 ( 0.000%)
ICMP Disc: 0 ( 0.000%)
All Discard: 0 ( 0.000%)
Other: 421 ( 2.392%)
Bad Chk Sum: 0 ( 0.000%)
Bad TTL: 0 ( 0.000%)
S5 G 1: 11 ( 0.063%)
S5 G 2: 33 ( 0.188%)
Total: 17599
===============================================================================
Action Stats:
Alerts: 4933 ( 28.030%)
Logged: 4933 ( 28.030%)
Passed: 0 ( 0.000%)
Limits:
Match: 0
Queue: 0
Log: 0
Event: 0
Alert: 261
Verdicts:
Allow: 13263 ( 75.315%)
Block: 0 ( 0.000%)
Replace: 0 ( 0.000%)
Whitelist: 4292 ( 24.373%)
Blacklist: 0 ( 0.000%)
Ignore: 0 ( 0.000%)
===============================================================================
Frag3 statistics:
Total Fragments: 0
Frags Reassembled: 0
Discards: 0
Memory Faults: 0
Timeouts: 0
Overlaps: 0
Anomalies: 0
Alerts: 0
Drops: 0
FragTrackers Added: 0
FragTrackers Dumped: 0
FragTrackers Auto Freed: 0
Frag Nodes Inserted: 0
Frag Nodes Deleted: 0
===============================================================================
Stream5 statistics:
Total sessions: 643
TCP sessions: 285
UDP sessions: 358
ICMP sessions: 0
IP sessions: 0
TCP Prunes: 0
UDP Prunes: 0
ICMP Prunes: 0
IP Prunes: 0
TCP StreamTrackers Created: 285
TCP StreamTrackers Deleted: 285
TCP Timeouts: 0
TCP Overlaps: 0
TCP Segments Queued: 7229
TCP Segments Released: 7229
TCP Rebuilt Packets: 1401
TCP Segments Used: 7068
TCP Discards: 95
TCP Gaps: 4
UDP Sessions Created: 358
UDP Sessions Deleted: 358
UDP Timeouts: 0
UDP Discards: 0
Events: 0
Internal Events: 0
TCP Port Filter
Dropped: 0
Inspected: 0
Tracked: 16321
UDP Port Filter
Dropped: 0
Inspected: 51
Tracked: 358
===============================================================================
HTTP Inspect - encodings (Note: stream-reassembled packets included):
POST methods: 8
GET methods: 238
HTTP Request Headers extracted: 261
HTTP Request Cookies extracted: 94
Post parameters extracted: 8
HTTP response Headers extracted: 251
HTTP Response Cookies extracted: 18
Unicode: 0
Double unicode: 0
Non-ASCII representable: 0
Directory traversals: 0
Extra slashes ("//"): 37
Self-referencing paths ("./"): 0
HTTP Response Gzip packets extracted: 55
Gzip Compressed Data Processed: 363978.00
Gzip Decompressed Data Processed: 1132880.00
Total packets processed: 8600
===============================================================================
SMTP Preprocessor Statistics
Total sessions : 0
Max concurrent sessions : 0
===============================================================================
dcerpc2 Preprocessor Statistics
Total sessions: 0
===============================================================================
SSL Preprocessor:
SSL packets decoded: 1159
Client Hello: 134
Server Hello: 121
Certificate: 89
Server Done: 228
Client Key Exchange: 77
Server Key Exchange: 9
Change Cipher: 214
Finished: 0
Client Application: 151
Server Application: 59
Alert: 0
Unrecognized records: 608
Completed handshakes: 0
Bad handshakes: 0
Sessions ignored: 59
Detection disabled: 0
===============================================================================
SIP Preprocessor Statistics
Total sessions: 0
===============================================================================
Snort exiting
Thank you.
La solution
Autres conseils
hmm, maybe you can try this one in terminal :
snort -i eth2 -A full
Licencié sous: CC-BY-SA avec attribution
Non affilié à StackOverflow