How to use Snort generate packet logs when in the NIDS mode?

Question

I am using Snort act like a network IDS by implementing snort configuration file and snort rules, I also want to capture all the packets (traffic) going through the specific network interface. My command is sudo snort -dev -P 65535 -i wlan0 -c /etc/snort/snort.conf -l /var/log/snort/ and the log format I want is

07/20-13:09:52.667262 34:DE:1A:26:03:18 -> 01:00:5E:7F:FF:FA type:0x800 len:0xAF
192.168.1.5:60857 -> 239.255.255.250:1900 UDP TTL:1 TOS:0x0 ID:29142 IpLen:20 DgmLen:161
Len: 133
4D 2D 53 45 41 52 43 48 20 2A 20 48 54 54 50 2F  M-SEARCH * HTTP/
31 2E 31 0D 0A 48 6F 73 74 3A 32 33 39 2E 32 35  1.1..Host:239.25
35 2E 32 35 35 2E 32 35 30 3A 31 39 30 30 0D 0A  5.255.250:1900..
53 54 3A 75 72 6E 3A 73 63 68 65 6D 61 73 2D 75  ST:urn:schemas-u
70 6E 70 2D 6F 72 67 3A 64 65 76 69 63 65 3A 49  pnp-org:device:I
6E 74 65 72 6E 65 74 47 61 74 65 77 61 79 44 65  nternetGatewayDe
76 69 63 65 3A 31 0D 0A 4D 61 6E 3A 22 73 73 64  vice:1..Man:"ssd
70 3A 64 69 73 63 6F 76 65 72 22 0D 0A 4D 58 3A  p:discover"..MX:
33 0D 0A 0D 0A  

                             3....

However, I can't get any logs in the log directory. The permission of log directory is 777. So I want to know is it possible to generate packet logs when it is running in NIDS mode?

Any help would be great. Thank You

Answer 1

In NIDS mode, Snort will only capture packets which trigger rules specified in the snort.conf file. Make sure that you use dummy rules for testing and generate interesting traffic for the rules to get triggered. You should then start seeing packets being logged in the directory you specified. Also make sure that you test this on wired interface first.