5

So I was following this guide on how to install Snort, Barnyard 2 and the like.

I've set up Snort so it would run automatically, by editing the rc.local file:

ifconfig eth1 up

/usr/local/snort/bin/snort -D -u snort -g snort \
-c /usr/local/snort/etc/snort.conf -i eth1
/usr/local/bin/barnyard2 -c /usr/local/snort/etc/barnyard2.conf \
-d /var/log/snort \
-f snort.u2 \
-w /var/log/snort/barnyard2.waldo \
-D

And I then restarted the computer. Snort was able to run and detect the attack, but the log files (including barnyard2.waldo) remained blank, even if a new log entry was created for each attack.

I'm not sure what went wrong here, since it's supposed to log any attacks and store it in the log directory, right?

Then, I tried changing the parameter to:

    /usr/local/snort/bin/snort -D -b -u snort -g snort \
-c /usr/local/snort/etc/snort.conf -i eth1

And when I checked the log file, there are two log files, one in u2 and another in tcpdump format, but they're both blank and is approximately 0 bytes.

So I thought I'd run it from the console to see if it would work from there, using this command:

/usr/local/snort/bin/snort -A full -u snort -g snort \

-c /usr/local/snort/etc/snort.conf -i eth1

and I then checked the log file to see if it would log the attack, and it still doesn't.

hdr
  • 163
  • 1
  • 2
  • 9

2 Answers2

0

Please check the permissions of the logfiles and the logdirectory.

possible snort is not able to write into that file/directory

Dennis Nolte
  • 2,848
  • 4
  • 26
  • 36
  • Here's what the file permissions look like in /var/log/snort `ls -l /var/log/snort total 0 -rw-r--r-- 1 root root 0 Mei 12 23:52 alert -rw-r--r-- 1 snort snort 0 Apr 26 17:51 barnyard2.waldo -rw------- 1 snort snort 0 Mei 13 08:58 snort.log.1399942704 -rw------- 1 snort snort 0 Mei 13 09:00 snort.log.1399942834 -rw------- 1 snort snort 0 Mei 13 21:02 snort.log.1399986140` – hdr May 13 '14 at 13:27
  • @hdr please change the permissions so you are able to write in the directory. for a short test do chmod o+w /var/log/snort and restart snort. (maybe /var/ and /var/log/ aswell) this is just for testing! when this works you should change either the snort user or the permissions for /var/log/snort/ – Dennis Nolte May 13 '14 at 14:11
  • Sorry for the late reply, the internet connection crapped out the whole day for some reason. But, when I tried your suggestion is still doesn't work. However, when I started Snort from the console instead from a Daemon, I noticed this: `Reputation config: WARNING: Can't find any whitelist/blacklist entries. Reputation Preprocessor disabled.` Do you think this might be the cause of the problems? – hdr May 14 '14 at 02:14
  • Update: So I re-downloaded the Snort Ruleset file and recreated and reconfigured the entries, (and also applied chmod on the /var/ directory), but it seems the problem's still there. – hdr May 14 '14 at 04:00
  • sorry out of ideas, the error you get seems to be not related to your issue based on a few google entries. – Dennis Nolte May 14 '14 at 07:08
0

Seems like you have nostamp specified in your snort.config. Find the line output unified2: filename snort.log, limit 128 and make sure it doesn't look like: output unified2: filename snort.log, limit 128, nostamp

Drew
  • 101
  • 2