Snort FAQSNORT FAQ Version 1.7 - January 04 2001 v1.7.3 Suggestions for enhancements of this document are always welcome please email them to Dragos Ruiu at dr@kyx.net The following people have contributed to this faq: Marty Roesch Fyodor Yarochkin Dragos Ruiu Jed Pickel Max Vision Michael Davis Joe McAlerney Joe Stewart Erek Adams Roman Danyliw Christopher Cramer Frequently Asked Questions about "snort" Q: How do you pronounce the names of some of these guys who work on snort? Q: Is Fyodor Yarochkin the same Fyodor who wrote nmap? Q: How do I run snort? Q: Where are my log files located? What are they named? Q: Where's a good place to physically put a Snort sensor? Q: I'm on a switched network, can I still use Snort? Q: I'm getting large amounts of . What should I do? Where can I go to find out more about it? Q: What about all these false alarms? Q: What are all these ICMP files in subdirectories under /var/log/snort? Q: My network spans multiple subnets. How do I define HOME_NET? Q: I have one network card and two aliases, how can I force snort to "listen" on both addresses ? Q: How do I ignore traffic coming from a particular host or hosts? Q. Why does the portscan plugin log "stealth" packets even though the host is in the portscan-ignorehosts list? Q: Why are there no subdirectories under /var/log/snort for IP addresses? Q: How do I run snort on an interface with no IP address? Q: Libpcap complains about permissions problems, what's going on? Q: Why does snort complain about /var/log/snort? Q: How do you get snort to ignore some traffic? Q: Why do many snort rules have the flags P (TCP PuSH) and A (TCP ACK) set? Q: I think I found a bug in snort. Now what? Q: Does Snort handle IP defragmentation? Q: Snort says "Garbage Packet with Null Pointer discarded!". Huh? Q: I've got RedHat and .... Q: How do I setup snort on a 'stealth' interface? Q: I Want to build a snort box. Will this handle traffic? Q: What are CIDR netmasks? Q: Where do I get the latest version of libpcap? Q: What are these IDS codes in the alert names? Q: Snort says BACKDOOR SIGNATURE... does my machine have a Trojan? Q: What about "CGI Null Byte attacks"? Q: Where can I get more reading and courses about IDS? Q: How do I log to multiple databases? Q: What are all these "ICMP destination unreachable" alerts? Q: Why does building snort complain about missing references? Q: Why does building snort fail with errors about yylex and lex_init? Q: What is the use of the "-r" switch to read tcpdump files? Q: How do I get Snort to log the packet payload as well as the header? Q: Does Snort log the full packets that it generates alerts on? Q: Why does the program generate alerts on packets that have pass rules? Q: Does Snort perform TCP stream reassembly? Q: SMB alerts aren't working, what's wrong? Q: How can I test snort without having an ethnernet card or a connection to other computers? Q: I'm having problems getting snort to log to a database... Q: Where do I get more help on snort? Q: How to start snort as a win32 service? Q: How do I process those snort logs into HTML reports? Q: Why do certain alerts seem to have 'unknown' IPs in ACID? Q: Why does the 'error deleting alert' message occur when attempting to delete an alert with ACID? Q: ACID appears to be broken in Lynx Q: Can priorities be assigned to Alerts using ACID? Q: My ACID db connection times-out when performing long operations (e.g. deleting a large number of alerts) Q: Why does snort report "Packet loss statistics are unavailable under Linux"? Q: What the heck is a SYNFIN scan? Q: What about 'SMB Name Wildcard' alerts? Q: Which takes precedence, commandline or rule file ? Q: My /var/log/snort directory gets very large..... Q: Is it possible with snort to add a ipfilter/ipfw rule to a firewall? Q: How can I run snort on multiple interfaces simultaneously. Q: I am getting 'snort [pid] uses obsolete (PF_INET, SOCK_PACKET)' warnings, what's wrong. Q: IP address is assigned dynamically to my interface, can I use snort with it? Q: On HPUX I get device lan0 open: recv_ack: promisc_phys: Invalid argument Q: I am getting snort dying with 'can not create file' error and I have plenty of diskspace, what's wrong? --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq-- Q: How do you pronounce the names of some of these guys who work on snort? A: For the record, 'Roesch' is pronounced like 'fresh' without the 'f'. Additionally, 'Ruiu' is pronounced like 'screw you' without the 'sc'. And Jed's last name is like "pick-el", not "pickle". :) --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq-- Q: Is Fyodor Yarochkin the same Fyodor who wrote nmap? A: Nope. fyodor@insecure.org is the author of nmap, and he uses the same pseudonym as other snort Fyodor's real surname. Yeah, messes up my mailbox too, but I think it's too late to change either of them :-). --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq-- Q: How do I run snort? a: Run Snort in sniffer mode (snort -dvi eth0) and make sure it can see the packets. Then run it with the HOME_NET set appropriately for the network you're defending in your rules file. A default rules file comes with the snort distribution and is called "snort.conf" You can run this basic ruleset with the following command line: snort -Afull -c snort.conf If it's all set right, once it's running do an "ifconfig -a" and make sure the interface is in promiscuous mode (it'll say so in the options section of the printout). If it's not, there should be a way to set it manually. --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq-- Q: Where are my log files located? What are they named? A: If you specified a logging directory with the -l parameter then that is where your files are located. If you did not specify a logging directory then Snort will log to /var/log/snort/. In the past, running Snort in daemon mode (-D) produced a file named "snort.alert". For consistency sake, this has been changed. Running Snort in both standard or daemon modes (-D) will produce a file named "alert". --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq-- Q: Where's a good place to physically put a Snort sensor? A: This is going to be heavily influenced by your organizations policy, and what you want to detect. One way of looking at it is determining if you want to place it inside or outside your firewall. Placing an IDS outside of your firewall will allow you monitor all attacks directed at your network, regardless of whether or not they are stopped at the firewall. This almost certainly means that the IDS will pick up on more events than an IDS inside the firewall, and hence more logs will be generated. Place an IDS inside your firewall if you are only interested in monitoring traffic that your firewall let pass. If resources permit, it may be best to place one IDS outside and one IDS inside of your firewall. This way you can watch for everything directed at your network, and anything that made it's way in. --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq-- Q: I'm on a switched network, can I still use Snort? A: This depends on the type of switch you have. If it can mirror traffic, you can direct it to the port that your Snort box is on. --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq-- Q: I'm getting large amounts of . What should I do? Where can I go to find out more about it? A: Some rules are more prone to producing false positives than others. This often varies between networks. You first need to determine if it is indeed a false positive. Some rules are referenced with ID numbers. The following are some common identification systems, and where to go to find more information about a particular alert. System Example URL --------------------------------------------------------------- IDS IDS182 http://www.whitehats.com/IDS/182 CVE CVE-2000-0138 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-0138 Bugtraq BugtraqID 1 http://www.securityfocus.com/vdb/bottom.html?vid=1 McAfee Mcafee 10225 http://vil.nai.com/vil/dispVirus.asp?virus_k=10225 It may be necessary to examine the packet payload to determine if the alert is a false positive. The packet payload is logged using the -d option. If you determine the alerts are false positives, you may want to write pass rules for machines that are producing a large number of them. If the rule is producing an unmanageable amount of false positives from a number of different machines, you could pass on the rule for all traffic. This should be used as a last resort. --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq-- Q: What about all these false alarms? A: Most think that a pile of false positives is infinitely preferable. Then people can turn off what they don't want. The reverse, having a small rule set, can lure people into complacency thinking that Snort is doing "its thing" and there is nothing to worry about. --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq-- Q: What are all these ICMP files in subdirectories under /var/log/snort? A: Most of them are likely destination unreachable and port unreachables that were detected by snort when a communications session attempt fails. --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq-- Q: My network spans multiple subnets. How do I define HOME_NET? A: Snort 1.7 supports IP lists. You can assign a number of addresses to a single variable. For example: var HOME_NET [10.1.1.0/24,192.168.1.0/24] NOTE: Not all preprocessors support IP lists at this time. Unless otherwise stated, assume that any preprocessor using an IP list variable will use the first value as the HOME_NET. The portscan preprocessor is an example. To catch all detectable portscans, pass 0.0.0.0/0 in as the first parameter. preprocessor portscan: 0.0.0.0/0 5 3 portscan.log Use the portscan-ignorhosts preprocessor to fine tune and ignore traffic from noisy, trusted machines. --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq-- Q: I have one network card and two aliases, how can I force snort to "listen" on both addresses ? a: If you're using at least version 1.7, you can specify an IP list like this: var HOME_NET [192.168./24,/32] If you're using something older (version 1.6.3-patch2 or whatever) you can re-specify the HOME_NET variable multiple times like this (for example): var HOME_NET 10.1.1.0/24 include scan-lib etc. var HOME_NET 192.168.1.0/24 include scan-lib etc. --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq-- Q: How do I ignore traffic coming from a particular host or hosts? A: Write pass rules and add the host(s) to the portscan-ignorehosts list. Call Snort with the -o option to activate the pass rules. See http://www.snort.org/writing_snort_rules.htm for more information. --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq-- Q: Why does the portscan plugin log "stealth" packets even though the host is in the portscan-ignorehosts list? A: These types of tcp packets are inherently suspicious, no matter where they are coming from. The portscan detector was built with the assumption that "stealth" packets should be reported, even from hosts which are not monitored for portscanning. An option to ignore "stealth" packets may be added in the future. A: Bring up the interface without an IP address on it. Url: http://www.geocrawler.com/archives/3/4890/2000/9/0/4399696/ A: Use an ethernet tap, or build your own 'receive-only' ethernet cable. Url: http://www.robertgraham.com/pubs/sniffing-faq.html#receive-only --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq-- Q: Why are there no subdirectories under /var/log/snort for IP addresses? A: It depends on how your snort configuration logs. If it logs in binary format, you'll have to process the binary log in order to get cleartext --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq-- Q: How do I run snort on an interface with no IP address? A: ifconfig ethN up --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq-- Q: Libpcap complains about permissions problems, what's going on? A: You are either not running snort as root or your kernel is not configured correctly. --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq-- Q: Why does snort complain about /var/log/snort? A: It requires this directory to log alerts to it. Use: mkdir /var/log/snort --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq-- Q: How do you get snort to ignore some traffic? A1: Specify bpf filters on the command line the tcpdump man page has a description of bpf filters. A2: Use a pass rule A3: The portscan preprocessor has it's own special exclusion list with the portscan-ignorehosts.rules file directive --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq-- Q: Why does the portscan plugin log "stealth" packets even though the host is in portscan-ignorehosts? A: Because that's the way it was made. :-) No, because these types of tcp packets are inherently suspicious, no matter where they are coming from. --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq-- Q: Why do many snort rules have the flags P (TCP PuSH) and A (TCP ACK) set? A: One of the reasons it alerts on a PA flags is to minimize the false positive. You will only get an alert upon successful connections. If you want to see all the attempts, you either have to modify the signatures, add you own signatures or use your firewall logs to see if an attempt to specific a port occurred. --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq-- Q: I think I found a bug in snort. Now what? A: get some more diagnostic information and post it to "snort-users" at http://www.sourceforge.net To get diagnostic information compile snort as either: make clean; make CFLAGS=-ggdb or make clean; make "CFLAGS=-ggdb -DDEBUG" trace coredump as: gdb /path/to/snort /path/to/snort/core gdb> where gdb> bt gdb> print $varname, varname, $$varname etc.. or if corefile isn't generated snort should be started as gdb snort gdb> run --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq-- Q: Does Snort handle IP defragmentation? A: Yes, use "preprocessor defrag" Snort also currently has the "minfrag" rule option available that looks for tiny fragments and can generate alerts based upon the size of the fragments alone. This is a valid strategy because there is virtually no commercially available network equipment that fragments packets smaller than 256 bytes, while most hacking packages that try to mask their traffic with fragments make them as small as possible. The minfrag option allows you to specify a fragment size threshold below which Snort will generate alerts. --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq-- Q: Snort says "Garbage Packet with Null Pointer discarded!". Huh? A: This was an internal diagnostic message triggered by an old bug in early versions of the defragmentation preprocessor. Upgrade to to the latest version of snort. --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq-- Q: I've got RedHat and .... A: Check your version of libpcap. :) If it's not <= 0.5, then you should update. --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq-- Q: How do I setup snort on a 'stealth' interface? --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq-- Q: I Want to build a snort box. Will this handle traffic? A: That depends. ;-) Lower the number of rules is a standard performance increase. Disable rules that you don't need or care about. Etc... There have been many discussions on 'tweaking performance' with lots of 'I handle XX mb with a ___ machine setup.' being said. Look at some of the discussions on snort-users --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq-- Q: What are CIDR netmasks? A: Excerpted from url: http://public.pacbell.net/dedicated/cidr.html CIDR is a new addressing scheme for the Internet which allows for more efficient allocation of IP addresses than the old Class A, B, and C address scheme. CIDR Block Prefix # Equivalent Class C # of Host Addresses /27 1/8th of a Class C 32 hosts /26 1/4th of a Class C 64 hosts /25 1/2 of a Class C 128 hosts /24 1 Class C 256 hosts /23 2 Class C 512 hosts /22 4 Class C 1,024 hosts /21 8 Class C 2,048 hosts /20 16 Class C 4,096 hosts /19 32 Class C 8,192 hosts /18 64 Class C 16,384 hosts /17 128 Class C 32,768 hosts /16 256 Class C 65,536 hosts (= 1 Class B) /15 512 Class C 131,072 hosts /14 1,024 Class C 262,144 hosts /13 2,048 Class C 524,288 hosts For more detailed technical information on CIDR, go to http://www.rfc-editor.org/rfcsearch.html and type in the number of the CIDR RFC you are interested in: RFC 1517: Applicability Statement for the Implementation of CIDR RFC 1518: An Architecture for IP Address Allocation with CIDR RFC 1519: CIDR: An Address Assignment and Aggregation Strategy RFC 1520: Exchanging Routing Information Across Provider Boundaries in the CIDR Environment --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq-- Q: Where do I get the latest version of libpcap? A: http://www.tcpdump.org/ --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq-- Q: What are these IDS codes in the alert names? A: IDS means "Intrusion Detection Signature" (true?) and identifies a known attack attempt. You can learn more about a specific IDS id at the arachNIDS search engine on http://www.whitehats.com/. --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq-- Q: Snort says BACKDOOR SIGNATURE... does my machine have a Trojan? A: If you are dumping the data part of the packet, review it. These rules are known to have high false rates as most of them are just based on numeric port numbers. --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq-- Q: What about "CGI Null Byte attacks"? A: It's a part of the http preprocessor. Basically, if the http decoding routine finds a %00 in an http request, it will alert with this message. Sometimes you may see false positives with sites that use cookies with urlencoded binary data, or if you're scanning port 443 and picking up SSLencrypted traffic . If you're logging alerted packets you can check the actual string that caused the alert. Also, the unicode alert is subject to the same false positives with cookies and SSL. Having the packet dumps is the only way to tell for sure if you have a real attack on your hands, but this is true for any content-based alert. --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq-- Q: Where can I get more reading and courses about IDS? A: Sans has some courses. There are also a couple of books you might want to look into getting. Network Intrusion Detection An Analyst's Handbook By Stephen Northcutt ISBN 0735708681 TCP/IP Illustrated, Volume 1 The Protocols By W. Richard Stevens ISBN 0201633469 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq-- Q: How do I log to multiple databases? A: You can build redundancy by using multiple output plugins. Here are some examples. Multiple instantiations of the database plugin: output log_database: mysql, dbname=snort host=localhost user=xyz output log_database: mysql, dbname=snort host=remote.loghost.com user=xyz Remote database and local tcpdump: output log_database: mysql, dbname=snort host=remote.loghost.com user=xyz output log_tcpdump: /var/log/snort.tcpdump Then you can replay the tcpdump file through snort to recreate the database. --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq-- Q: What are all these "ICMP destination unreachable" alerts? A: They are failed connections ICMP unreach packet carries first 64 bytes of the original datagram. --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq-- Q: Why does building snort complain about missing references? A: You must make libpcap with the --install-incl option --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq-- Q: Why does building snort fail with errors about yylex and lex_init? A: You need the lex and yacc tools or their gnu equivalents flex and bison installed. --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq-- Q: What is the use of the "-r" switch to read tcpdump files? A: Used in conjunction with a snort rules file, the tcpdump data can be analyzed for hostile content, port scans, or anything else Snort can be used to detect. Snort can also just simply display the packets in their decoded format, which many people find is easier to read than native tcpdump output. --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq-- Q: How do I get Snort to log the packet payload as well as the header? A: Use the "-d" command line option. --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq-- Q: Does Snort log the full packets that it generates alerts on? A: Yes, they should be in the directory that has the same IP address as the source host of the packet which generated the alert. --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq-- Q: Why does the program generate alerts on packets that have pass rules? A: The default order that the rules are applied in is alerts first, then pass rules, then log rules. This ordering ensures that you don't write 50 great alert rules and then disable them all accidently with an errant pass rule. If you really want to change this order so that the pass rules are applied first, use the "-o" command line switch. --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq-- Q: Does Snort perform TCP stream reassembly? A: Yes, this capability is in BETA testing with the 1.7 release. --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq-- Q: SMB alerts aren't working, what's wrong? A: Make sure you include "--enable-smbalerts" when you run "./configure". --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq-- Q: How can I test snort without having an ethnernet card or a connection to other computers? A: You have to use routing between two dummy devices: modprobe -a dummy (The dummy device has to be build by the kernel) ifconfig dummy0 192.168.0.1 ifconfig dummy0:0 192.168.0.2 telnet 192.168.0.3 12345 It's important that the second IP is on the same interface and not e.g. dummy1 or dummy2 and that the IP you try to access is *not* one of those you put on the interfaces. Use snort's ability to hear in promiscious mode on an IP address range. (HOMEDIR=192.168.0.0/16) Top --faq-- --snort-- --faq-- --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq-- Q: I'm having problems getting snort to log to a database... A: There were some issues with snort 1.6.3 writes Lee wrote.. > > Initializing rule chains... > > log_database: Database type is mysql > > log_database: Database name is snort > > log_database: Host set to localhost > > log_database: User set to root > > Problem obtaining SENSOR ID (sid) from mysql->snort->event In version 1.6.3, it turns out that many people have seen this error because they did not compile in support for their database. It should be fixed in snort 1.7 A quick and easy "fix" for older snort versions is to add -lm to either LIBS or LDFLAGS in the Makefile. e.g. LIBS = -lm -lmysqlclient -lpcap -lsocket -lnsl Anyway, if you are still having this problem you can take a look at the updated the installation and configuration information at the following web site. http://www.incident.org/snortdb --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq-- Q: Where do I get more help on snort? A: http://lists.sourceforge.net/mailman/listinfo/snort-users --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq-- Q: How to start snort as a win32 service? A: Service support has been added to snort-1.6.3-patch2 You can download the binary from: http://www.datanerds.net/~mike/dev/snort-1.6.3-patch2-service.zip Right now there is only a binary available. Snort Service FAQ: 1) Use must use complete paths for everything. This means EVERYTHING. Command line, configuration files, everything. Examples: All include statements must be full paths. I.E. 'include scan-lib' is WRONG. 'include C:\snort\scan-lib' is CORRECT. All Command line options must be full paths. I.E. 'snort.exe -l ./log' is WRONG. 'snort.exe -l C:\snort\log' is CORRECT. 2) YOU MUST ALWAYS HAVE A LOGGING DIRECTORY SET VIA THE COMMAND LINE(-l switch). If you do not set a logging directory the service will not start and, on NT/Win2k, your bootup will hang for about 4 minutes. 3) How to install the snort service. Run snort like you would via command line but add a '-I'. I.E. 'snort.exe -c snort.conf -l ./log -h 192.168.1.0/24 -s' turns into 'snort.exe -c C:\snort\snort.conf -l C:\snort\log -h 192.168.1.0/24 -s -I' YOU MUST USE COMPLETE PATHS FOR ALL FILES/DIRECTORIES. NOTE: You do NOT need to add the -D option to the command line when you install the service. If -D is not there it will automatically be added. 4) How to remove the snort service. Run 'snort -R'. 5) Does the Service run on 9x/ME. Yes. It uses a horrible hack to get it to work. Because of this when you boot up you will see a black command prompt window for about 5 seconds before snort goes to the background. This service mode is considered a horrible hack and probably will not work in every situation. 6) What functions are support by the NT service. Start and Stop currently. Pause and Resume will be implemented later (Code already exists but not working properly). Any questions, comments, flames please email mike@datanerds.net --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq-- Q: How do I process those snort logs into HTML reports? A1: One popular solution is SnortSnarf, a tool for producing HTML out of snort alerts for navigating through these alerts (and doing a whole lot more). http://www.silicondefense.com/snortsnarf/ A2: If you want to set up loggin to a database you could try ACID Some documentation describing the current ACID functionality: http://www.andrew.cmu.edu/~rdanyliw/snort/snortacid.html --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq-- Q: Why do certain alerts seem to have 'unknown' IPs in ACID? A: The Snort database plug-in only logs packet information into the database when an alert is triggered by a rule (signature). Therefore, since alerts generated by pre-preprocessors such as portscan and mini-fragment have no corresponding rules, no packet information is logged beyond an entry indicating their occurance. As a consequence, ACID cannot display any packet-level (e.g. IP address) information for these alerts. For these particular alerts, certain statistics may show zero unique IP addresses, list the IP address as 'unknown', and will not list any packet information when decoding the alert. --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq-- Q: Why does the 'error deleting alert' message occur when attempting to delete an alert with ACIO? A: Most likely the DB user configure in ACID does not have sufficient privileges. In addition to those privileges granted to log the alerts into the database (INSERT, SELECT), DELETE is also required. This permission related issue can be confirmed by manually inserting a row into the database, then trying to delete it. 1. login to MySQL with the same credentials (i.e. username, password) as you use in ACID. e.g. % mysql -u -p 2. insert a test row into the event table mysql> INSERT INTO event (sid, cid, signature, timestamp) VALUES (1,1000000, "test", "0"); (this assumes that you don't already have a row with an event ID=1000000. If you do just choose another event id #) 3. now delete this newly inserted row mysql> DELETE FROM event WHERE sid=1 AND cid=10000000; If you where not able to delete, this confirms that this is a permission problem. Re-login to mysql as root, and issue a GRANT command (giving the DELETE permission) to the ACID DB user. e.g. GRANT DELETE on snort.* to acid@localhost (this assumes that my alert database is 'snort', username is 'acid', and logging from the 'localhost') --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq-- Q: ACID appears to be broken in Lynx A: This is a known issue. Lynx mangles some of the form arguments appended to the URL. It's resolution is being investigated, but use Netscape, Opera, or IE in the mean time. --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq-- Q: Can priorities be assigned to Alerts using ACID? A: The quick answer to this question is no. ACID is at the mercy of the underlying database, since Snort doesn't assign priorities, ACID does not have priorities. Nevertheless, there are several work-arounds: It is possible to enforce priorities of sort at the database level by writing alerts of different severity to separate databases. For example, critical alerts such as buffer overflows can be written to one database, while scan alerts can be written to another. Then load two different versions of ACID, each pointing to a different instance of the database. With manual intervention Alert Groups (AG) can be used to assign priority. Essentially, this strategy entails creating an AG for each severity level and manually moving the alerts as they arrive into the appropriate group. --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq-- Q: My ACID db connection times-out when performing long operations (e.g. deleting a large number of alerts) A: PHP has an internal variable set to limit the length an script can execute. It is used to prevent poorly written code from executing indefinitely. In order to modify the time-out value, examine the 'max_execution_time' variable found in the 'php.ini' configuration file. --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq-- Q: Why does snort report "Packet loss statistics are unavailable under Linux"? A: The Linux IP stack doesn't report lost packet stats. This may be changing in version 2.4 of Linux, but for now you just don't get them. Try one of the BSDs, they work just fine. --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq-- Q: What the heck is a SYNFIN scan? A: SYNFIN scans got their name because there are both the SYN and FIN flags set. --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq-- Q: What about 'SMB Name Wildcard' alerts? A: Whitehats IDS177 http://dev.whitehats.com/cgi/test/new.pl/Show?_id=netbios-name-query specifies traffic coming from *outside* of your local network. Allowing netbios traffic over public networks is usually very insecure. If the rule you are using also refers to ingres traffic only, then it would explain why you don't see a lot of false positives. For anyone reading that does see a lot of false postiives - if you change your rule to reflect the source address as being !$HOME (or whatever variable you use to represent your internal network), then you should see most of the false positives go away. The value of this chack is that a default administrative share C$ ADMIN$ or some such has been accessed. This shouldn't happen in normal use - when people want to share files they should be implicitely defining the shares and ACL. --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq-- Q: Which takes precedence, commandline or rule file ? A: The command line always gets precedence over the rules file. If people want to try stuff out quickly without having to manually edit the rules file, they should be able to override many things from the command line. --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq-- Q: My /var/log/snort directory get very large..... A: Try this script to archive the files. #!/bin/sh # # Logfile roation script for snort writen by jameso@elwood.net. # # This script is pretty basic. We start out by setting some vars. # Its job is tho rotate the days logfiles, e-mail you with what # it logged, keep one weeks worth of uncompressed logs, and also # keep compressed tgz files of all the logs. It is made to be run # at midnight everynight. This script expects you to have a base # dir that you keep all of your logs, rule sets etc in. You can # see what sub dirs it expects from looking at the var settings # below. # # Things to note in this script is that we run this script at 12 # every night, so we want to set the dirdate var the day the script # runs minus a day so we label the files with the correct day. We # Then create a dir for the days logs, move the log files into # todays dir. As soon as that is done restart snort so we don't miss # anything. Then delete any logs that are uncompressed and over a # week old. Then compress out todays logs and archive them away, and # end up by mailling out the logs to you. # # Define where you have the base of your snort install snortbase=/usr/snort # Define other vars # logdir - Where the logs are kept # oldlogs - Where you want the archived .tgz logs kept # weeklogs - This is where you want to keep a weeks worth of log files uncompressed # dirdate - Todays Date in Month - Day - Year format # olddirdate - Todays date in the same format as dirdate, minus a week logdir=$snortbase/log oldlogs=$snortbase/oldlogs weeklogs=$snortbase/weeklogs # When I first wrote this script, I only ran it on BSD systems. That was a # mistake, as BSD systems have a date command that apperently lets you walk the # date back pretty easily. Well, some systems don't have this feature, so I had # to change the way that dates are done in here. I left in the old way, because # it is cleaner, and I added in a new way that should be portable. If anyone # has any problems, just let me know and I will try to fix it. # # You have to change the system var to either bsd or other. Set it to bsd if # your system supports the "-v" flag. If you are not sure, set it to other. system=bsd if [ $system = bsd ] then dirdate=`date -v -1d "+%m-%d-%y"` olddirdate=`date -v -8d "+%m-%d-%y"` elif [ $system = other ] month=`date "+%m"` yesterday=`expr \`date "+%d"\` - 1` eightday=`expr \`date "+%d"\` - 8` year=`date "+%y"` dirdate=$month-$yesterday-$year olddirdate=$month-$eightday-$year fi # Create the Dir for todays logs. if [ ! -d $weeklogs/$dirdate ] then mkdir $weeklogs/$dirdate fi # Move the log files into todays log dir. This is done with # a for loop right now, because I am afriad that if alot is # logged there may be to many items to move with a "mv *" # type command. There may a better way to do this, but I don't # know it yet. for logitem in `ls $logdir` ; do mv $logdir/$logitem $weeklogs/$dirdate done # Kill and restart snort now that the log files are moved. kill `cat /var/run/snort_fxp0.pid` # Restart snort in the correct way for you /usr/local/bin/snort -i fxp0 -d -D -h homeiprange/28 -l /usr/snort/log \ -c /usr/snort/etc/08292k.rules > /dev/null 2>&1 # Delete any uncompressed log files that over a week old. if [ -d $weeklogs/$olddirdate ] then rm -r $weeklogs/$olddirdate fi # Compress and save the log files to save for as long as you want. # This is done in a sub-shell because we change dirs, and I don't want # to do that within the shell that the script runs in. (cd $weeklogs; tar zcvf $oldlogs/$dirdate.tgz $dirdate > /dev/null 2>&1) # Mail out the log files for today. cat $weeklogs/$dirdate/snort.alert | mail -s "Snort logs" you@domain.com cat $weeklogs/$dirdate/snort_portscan.log | mail -s "Snort portscan logs" you@domain.com --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq-- Q: Is it possible with snort to add a ipfilter/ipfw rule to a firewall? A: Yes, with additional software in the conrib directory. But this can be dangerous and is not recommended unless you know what you're doing. Guardian is available and is part of the contrib directory in the tarball distribution. Guardian is a perl script which uses snort to detect attacks, and then uses IPchains to deny any further attacks. The Guardian webpage can be found at: http://www.chaotic.org/~astevens/Guardian/index.html or you can use the mirror, http://www.cyberwizards.com/~midnite/Guardian/index.html But one caveat... running external binaries can also be a performance limiter and your should read the caution below... Christopher Cramer wrote: > > I'm sure this has been mentioned before in similar discussions, but this > feels like a _really_ bad idea. What if the bad guys realize what is > going on and make use of your blocking method as a DoS attack. All one > would have to do start sending a series of triggering packets with spoofed > IP addresses. > > Since I am no longer interested in breaking into your site, but rather > making your life hell, I don't worry about the resulting data getting back > to me. All I have to do is start proceeding up a list of IP addresses > that I think you should no longer be able to talk to. When you come in > the next morning, you find that you can no longer access the world. > > Just my $0.02. > --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq-- Q: How can I run snort on multiple interfaces simultaneously. A: If you aren't running snort on linux 2.1.x/2.2.x kernel (with LPF available) the only way is to run multiple instances of snort, one instance per interface. However for linux 2.1.x/2.2.x and higher you can use libpcap library with S. Krahmer's patch which allows you to specify 'any' as interface name. In this case snort will be able to process traffic comming to all interfaces. --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq-- Q: I am getting 'snort [pid] uses obsolete (PF_INET, SOCK_PACKET)' warnings, what's wrong. A: You use older libpcap version with recent linux kernel. There should be no problem with it as long as your kernel supports SOCK_PACKET socket type. To get rid off the warning message however, you'll have to upgrade to some recent version of libpcap. (a copy from www.tcpdump.org is recommended). --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq-- Q: IP address is assigned dynamically to my interface, can I use snort with it? A: Yes.With snort 1.7 and later, _ADDRESS variable is available. The value of this variable will be always set to IP address/Netmask of the interface which you run snort at. if interface goes down and up again (and an IP address is reassigned) you will have to restart snort. For earlier versions of snort numerous scripts to achieve the same result are available. --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq-- Q: on HPUX I get device lan0 open: recv_ack: promisc_phys: Invalid argument A: It's because there's another program running using the DLPI service. The HP-UX implementation doesn't allow more than one libpcap program at a time to run, unlike Linux. (from snort.c) --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq-- Q: I am getting snort dying with 'can not create file' error and I have plenty of diskspace, what's wrong? A: You may run out of free inodes, which basically also means you can not create more files on the partition. The obvious solution is to rm some ;-)