Centos – Snort: not logging anything

centossnort

My site seems to be the target of quite a bit of probing over the last few months. In an attempt to get a better handle on this I installed SNORT on one of the machines that has external exposure. Something must not be installed correctly as I see lots of probing in /var/log/messages but snort isn't logging anything.

System: CentOS 6.2 (32 bit)
Snort: (latest build and rules)

Snort configured from this v excellent site: http://nachum234.no-ip.org/security/snort/001-snort-installation-on-centos-6-2/

snort running as daemon: /usr/local/bin/snort -d -D -i bond0 -u snort -g snort -c /etc/snort.d/snort.conf -l /var/log/snort

The snort.log file is empty despite hundreds (or more) failed login attempts from individual IP addresses. Maybe Im missing the purpose of SNORT? I was hoping it would log this sort of info.

Best Answer

As long as the Snort daemon is running the problem that generally causes this behavior is usually one of three things:

Missing rule set, does not appear to apply here.
Interface not configured correctly (listening on inside interface, not external monitor port)
External interface not connected via a tap (if you are monitoring other hosts).

My best guess at this point is that probably need to specify the interface to the daemon differently. Unless you are actually using a bonded interface (not mentioned in your question) that would be the first place I would look.

Related Solutions

CentOS and MySQL

From the remi repo, you need mysql-server. Try yum install mysql-server; you'll then be able to chkconfig and service mysqld to your heart's content.

If your remi repo isn't enabled by default, it'll be yum --enablerepo=remi install mysql-server; try that if you get a bunch of unresolved dependency messages.

Snort not logging full output to syslog

You are likely seeing everything that you can actually see. Snort operates much like an anti-virus application. You provide it a list of signatures that indicate badness (the rules files) and whenever the Snort sees a traffic pattern that matches said signature, it throws an alert. The information you receive for each alert is configured by the rule author. For example, let's look at the following alert

[1:2013497:2] ET TROJAN MS Terminal Server User A Login, possible Morto inbound [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 10.15.253.22:3254 -> 192.168.100.15:3389

Right, so we know

4-tuple that identifies the network connection, (10.15.253.22:3254 -> 192.168.100.15:3389)
a description that explains what this alert means (the bit about Morto)
and the rule ID (2013497)

Now, let's look at the actual rule that triggered this.

alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 (msg:"ET TROJAN MS Terminal Server User A Login, possible Morto inbound"; flow:to_server,established; content:"|03 00 00|"; depth:3; content:"|e0 00 00 00 00 00|"; offset:5; depth:6; content:"Cookie|3a| mstshash=a|0d 0a|"; nocase; reference:cve,CAN-2001-0540; classtype:protocol-command-decode; sid:2013497; rev:2;)

We can see that the descriptive text that we get alerted on is in the msg field. That is really just a free-text field that is used by the rule author to let us know what's going on. When syslogging an alert the Snort application only logs this information. That is, you won't get anything else. Now, I think that you're after is the reference, CAN-2001-0540.

What you need to look at are some of the additional programs that operate with Snort. There are a number of them that have existed for years. The two projects that immediately spring to my mind are Snorby and BASE. Setting up either one of them will increased the complexity of your environment, but it may be worth it.

Best Answer

Related Solutions

CentOS and MySQL

Snort not logging full output to syslog

Related Topic