4

I'm using snort in my ubuntu 14.04 virtual machine. This is how I installed snort.

sudo apt-get update
sudo apt-get install snort

I haven't change /etc/snort/snort.conf or rules file. They remain as the default and I did PCAP reading using following command.

sudo /usr/sbin/snort -d -l /var/log/snort -c /etc/snort/snort.conf -r /home/navarathna/Downloads/cap2.pcap

The PCAP file is successfully read and a snort.log file is created, but the size of that file is 0 bytes. When I installed snort, there was no alert file in /var/log/snort directory. So I created one and gave owner permission for snort as following.

sudo chown snort.snort alert

After the PCAP reading, both snort.log and alert files have no content (Although the snort.log modified date changes to the last read date and time). Their sizes are 0 bytes. What am I doing wrong here?? Do I need to do some additional changes for rules/snort.conf files?

A.M.N.Bandara
  • 141
  • 1
  • 3

1 Answers1

0

It appears that snort does not write the alert log when processing a pcap file, however it should write the correct packet capture log (e.g. /var/log/snort/snort.log.1502097194).

Since it does not write the alert log, you can get instead get snort to write the alert log messages to syslog using the flag -s (or event log in Windows using -E) e.g.:

snort -s -l /var/log/snort/ -r /pcaps/example.pcap -c /etc/snort/snort.conf

You should then see alerts in syslog e.g.:

$ sudo tail -f /var/log/messages
Aug  7 09:08:05 snort snort: [1:2101919:23] GPL FTP CWD overflow attempt [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {TCP} 142.167.88.44:61383 -> 192.168.5.122:21

In your case, it is likely the snort.log contains no data because there were no alerts triggered. You should be able to confirm this, either by reviewing the syslog or in the summary report afterwards e.g.:

Action Stats:
     Alerts:            1 (  5.263%)
     Logged:            1 (  5.263%)
     Passed:            0 (  0.000%)
Peter Gallagher
  • 1
  • 1