Snort: not logging anything

Question

My site seems to be the target of quite a bit of probing over the last few months. In an attempt to get a better handle on this I installed SNORT on one of the machines that has external exposure. Something must not be installed correctly as I see lots of probing in /var/log/messages but snort isn't logging anything.

System: CentOS 6.2 (32 bit)
Snort: (latest build and rules)

Snort configured from this v excellent site: http://nachum234.no-ip.org/security/snort/001-snort-installation-on-centos-6-2/

snort running as daemon: /usr/local/bin/snort -d -D -i bond0 -u snort -g snort -c /etc/snort.d/snort.conf -l /var/log/snort

The snort.log file is empty despite hundreds (or more) failed login attempts from individual IP addresses. Maybe Im missing the purpose of SNORT? I was hoping it would log this sort of info.

score 0 · Accepted Answer · answered Jun 05 '12 at 16:48

0

As long as the Snort daemon is running the problem that generally causes this behavior is usually one of three things:

Missing rule set, does not appear to apply here.
Interface not configured correctly (listening on inside interface, not external monitor port)
External interface not connected via a tap (if you are monitoring other hosts).

My best guess at this point is that probably need to specify the interface to the daemon differently. Unless you are actually using a bonded interface (not mentioned in your question) that would be the first place I would look.

answered Jun 05 '12 at 16:48

Tim Brigham

15,465
7
72
113

It is a bonded interface. 'External' and 'internal' are the same ip. – ethrbunny Jun 05 '12 at 16:49
It appears that the rule set wasn't configured properly in the snort.conf file. – ethrbunny Jun 07 '12 at 12:30

Snort: not logging anything

1 Answers1