[SOLVED] no IDS logs??

General questions.
axel2078
Posts: 294
Joined: January 30th, 2013, 3:53 am
Location: IL, USA

[SOLVED] no IDS logs??

Post by axel2078 » February 10th, 2013, 10:11 pm

For some reason, my system doesn't seem to be logging for IDS.  I have verified that on the IDS page, RED Snort is checked, as well as Guardian.  The Guardian config is below:

Interface: red0
Tmelimit: 86400
Logfile: /var/log/guardian/guardian.log
Alertfile: /var/log/snort/alert
Ignorefile: empty

Under the IDS rules section, I have 24 rules selected.  Whenever I go to Logs > IDS Logs, it's always empty (no logs) no matter what day I select.  I find this odd because when I was running Smoothwall on this same machine, there were always IDS logs present.  Is something wrong with my configuration?
Last edited by axel2078 on March 16th, 2013, 11:13 pm, edited 1 time in total.
Image

BeBiMa
Posts: 2842
Joined: July 30th, 2011, 12:55 pm
Location: Mannheim

Re: no IDS logs??

Post by BeBiMa » February 10th, 2013, 10:39 pm

If you look from a shell: Are the files empty?
Image
Unitymedia Cable Internet ( 32MBit )

axel2078
Posts: 294
Joined: January 30th, 2013, 3:53 am
Location: IL, USA

Re: no IDS logs??

Post by axel2078 » February 10th, 2013, 10:49 pm

Yes, they are emtpy. The guardian log has entries about receiving the kill signal from some reboots I did, but that's it.
Image

axel2078
Posts: 294
Joined: January 30th, 2013, 3:53 am
Location: IL, USA

Re: no IDS logs??

Post by axel2078 » February 11th, 2013, 12:09 am

If it makes a difference, I am using Sourcefire VRT rules for registered users and my rules were last updated Jan. 24th. Is this a common problem with IPfire? I've seen other posts about it with no solution given, like this one. http://forum.ipfire.org/index.php/topic,6288.30.html
Image

axel2078
Posts: 294
Joined: January 30th, 2013, 3:53 am
Location: IL, USA

Re: no IDS logs??

Post by axel2078 » February 14th, 2013, 4:03 pm

Anyone? Surely this can be resolved somehow. The Guardian add-on is essentially useless if there are no logs for it to act on.
Last edited by axel2078 on February 14th, 2013, 4:05 pm, edited 1 time in total.
Image

User avatar
andremorro
Global Moderator
Global Moderator
Posts: 515
Joined: July 4th, 2012, 1:17 pm
Location: Florianópolis, SC - Brasil

Re: no IDS logs??

Post by andremorro » February 14th, 2013, 5:26 pm

Hi aexel2078

I´ve done a few tests here (in both servers) and they both seem to be filling up my logs.

I remebered once I had a problem with a few rules and cuz' of that snort never started.

Just to be sure, have you tryed stop and start snort to see if there´s any "failure" about rules? (terminal mode, or putty).

Kill snort processes and:

Code: Select all

/usr/sbin/snort -c /etc/snort/snort.conf -i red0


and

Code: Select all

/usr/sbin/snort -c /etc/snort/snort.conf -i green0


If everything is okay, just should appear:

Code: Select all

        --== Initialization Complete ==--

   ,,_     -*> Snort! <*-
  o"  )~   Version 2.9.3.1 IPv6 GRE (Build 40)
   ''''    By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-team
           Copyright (C) 1998-2012 Sourcefire, Inc., et al.
           Using libpcap version 1.0.0
           Using PCRE version: 7.7 2008-05-07
           Using ZLIB version: 1.2.3

           Rules Engine: SF_SNORT_DETECTION_ENGINE  Version 1.16  <Build 18>
           Preprocessor Object: SF_SIP (IPV6)  Version 1.1  <Build 1>
           Preprocessor Object: SF_SSLPP (IPV6)  Version 1.1  <Build 4>
           Preprocessor Object: SF_DCERPC2 (IPV6)  Version 1.0  <Build 3>
           Preprocessor Object: SF_IMAP (IPV6)  Version 1.0  <Build 1>
           Preprocessor Object: SF_SDF (IPV6)  Version 1.1  <Build 1>
           Preprocessor Object: SF_DNS (IPV6)  Version 1.1  <Build 4>
           Preprocessor Object: SF_GTP (IPV6)  Version 1.1  <Build 1>
           Preprocessor Object: SF_SMTP (IPV6)  Version 1.1  <Build 9>
           Preprocessor Object: SF_REPUTATION (IPV6)  Version 1.1  <Build 1>
           Preprocessor Object: SF_FTPTELNET (IPV6)  Version 1.2  <Build 13>
           Preprocessor Object: SF_DNP3 (IPV6)  Version 1.1  <Build 1>
           Preprocessor Object: SF_MODBUS (IPV6)  Version 1.1  <Build 1>
           Preprocessor Object: SF_SSH (IPV6)  Version 1.1  <Build 3>
           Preprocessor Object: SF_POP (IPV6)  Version 1.0  <Build 1>
Commencing packet processing (pid=16032)
Last edited by andremorro on February 14th, 2013, 6:21 pm, edited 1 time in total.
Image

axel2078
Posts: 294
Joined: January 30th, 2013, 3:53 am
Location: IL, USA

Re: no IDS logs??

Post by axel2078 » February 14th, 2013, 7:18 pm

I haven't tried this, but I will. What's the correct syntax to stop and start snort from the command line?
Image

axel2078
Posts: 294
Joined: January 30th, 2013, 3:53 am
Location: IL, USA

Re: no IDS logs??

Post by axel2078 » February 15th, 2013, 1:07 am

I killed snort and ran the command you gave and it did yield the output you showed, plus a lot more before it. I restarted snort and took a look at the contents of the snort directory and as you can see, nothing is being written to any log.

-rw-r--r-- 1 root root  0 2013-02-10 00:01 alert
-rw-r--r-- 1 root root  0 2013-02-10 00:01 alert.1
-rw-r--r-- 1 root root 20 2013-02-03 00:02 alert.2.gz
-rw-r--r-- 1 root root  0 2013-01-28 23:49 snort.log.1359438562
-rw-r--r-- 1 root root  0 2013-01-28 23:49 snort.log.1359438583
-rw-r--r-- 1 root root  0 2013-01-29 03:12 snort.log.1359450779
-rw-r--r-- 1 root root  0 2013-01-29 03:13 snort.log.1359450800
-rw-r--r-- 1 root root  0 2013-01-29 03:18 snort.log.1359451118
-rw-r--r-- 1 root root  0 2013-01-29 03:19 snort.log.1359451140
-rw-r--r-- 1 root root 24 2013-02-10 10:27 snort.log.1360513061
-rw-r--r-- 1 root root  0 2013-02-10 18:29 snort.log.1360542580
-rw-r--r-- 1 root root  0 2013-02-14 19:05 snort.log.1360890316
Image

telserv

Re: no IDS logs??

Post by telserv » February 15th, 2013, 7:15 pm

I have the same issue. 

There are Snort logs, but aren't in text format, so I can't read them.  Snort is outputting messages to the syslog server, so it is working, but not showing IPfire IDS logs of those same events.

This may or may not be related.  The log summary page shows "No (or only partial) logs exist for the day queried: /var/log/logwatch/2013-02-14 could not be opened."  When I checked the /var/log/logwatch directory, there are no entries in it since the day the system was installed (end January).  This is a ver 2.11 new install, and I'm having a lot of fun with it  ;D

axel2078
Posts: 294
Joined: January 30th, 2013, 3:53 am
Location: IL, USA

Re: no IDS logs??

Post by axel2078 » February 15th, 2013, 9:29 pm

Mine is a brand new installation as well and I'm kind of surprised that this doesn't work. Does it depend on which rule sets you choose for snort or something? I don't get it.
Image

axel2078
Posts: 294
Joined: January 30th, 2013, 3:53 am
Location: IL, USA

Re: no IDS logs??

Post by axel2078 » February 17th, 2013, 7:42 pm

I noticed this in /var/log/messages.  Does this indicate a problem with snort?

Feb 17 07:53:00 ipfire snort[4919]: S5: Session exceeded configured max bytes to queue 1048576 using 1049204 bytes (client queue). 75.132.x.x 60511 --> 108.175.38.100 80 (0) : LWstate 0x9 LWFlags 0x406007
Feb 17 08:15:03 ipfire snort[4919]: S5: Pruned session from cache that was using 1165364 bytes (closed normally). 75.132.x.x 60511 --> 108.175.38.100 80 (0) : LWstate 0x9 LWFlags 0x60e007
Feb 17 11:22:55 ipfire snort[4919]: S5: Session exceeded configured max bytes to queue 1048576 using 1049424 bytes (client queue). 75.132.x.x 33319 --> 108.175.38.93 80 (0) : LWstate 0x9 LWFlags 0x406007
Feb 17 11:40:21 ipfire snort[4919]: S5: Pruned session from cache that was using 1167344 bytes (closed normally). 75.132.x.x 33319 --> 108.175.38.93 80 (0) : LWstate 0x9 LWFlags 0x60e007
Feb 17 11:51:41 ipfire snort[4919]: S5: Session exceeded configured max bytes to queue 1048576 using 1048758 bytes (client queue). 75.132.x.x 38976 --> 108.175.39.141 80 (0) : LWstate 0x9 LWFlags 0x406007
Image

User avatar
Arne.F
Core Developer
Core Developer
Posts: 8522
Joined: May 7th, 2006, 8:57 am
Location: BS <-> NDH
Contact:

Re: no IDS logs??

Post by Arne.F » February 18th, 2013, 2:21 pm

Maybee there is a bug in snort. Or you have not enough memory.
Arne

Support the project on the donation!

Image

Image

Image
PS: I will not answer support questions via email and ignore IPFire related messages on my non IPFire.org mail addresses.

axel2078
Posts: 294
Joined: January 30th, 2013, 3:53 am
Location: IL, USA

no IDS logs??

Post by axel2078 » February 18th, 2013, 3:27 pm

Arne.F wrote:Maybee there is a bug in snort. Or you have not enough memory.


2 GB isn't enough?
Image

telserv

Re: no IDS logs??

Post by telserv » February 19th, 2013, 1:04 am

Arne.F wrote:Maybee there is a bug in snort.


Actually axel2078, the suggestion that the problem could be in Snort may be worth investigation.  That is, if someone could suggest how we go about that?  How can we eliminate snort as the cause of the problem? 

User avatar
andremorro
Global Moderator
Global Moderator
Posts: 515
Joined: July 4th, 2012, 1:17 pm
Location: Florianópolis, SC - Brasil

Re: no IDS logs??

Post by andremorro » February 19th, 2013, 12:28 pm

axel2078 wrote:I killed snort and ran the command you gave and it did yield the output you showed, plus a lot more before it. I restarted snort and took a look at the contents of the snort directory and as you can see, nothing is being written to any log.

-rw-r--r-- 1 root root  0 2013-02-10 00:01 alert
-rw-r--r-- 1 root root  0 2013-02-10 00:01 alert.1
-rw-r--r-- 1 root root 20 2013-02-03 00:02 alert.2.gz
-rw-r--r-- 1 root root  0 2013-01-28 23:49 snort.log.1359438562
-rw-r--r-- 1 root root  0 2013-01-28 23:49 snort.log.1359438583
-rw-r--r-- 1 root root  0 2013-01-29 03:12 snort.log.1359450779
-rw-r--r-- 1 root root  0 2013-01-29 03:13 snort.log.1359450800
-rw-r--r-- 1 root root  0 2013-01-29 03:18 snort.log.1359451118
-rw-r--r-- 1 root root  0 2013-01-29 03:19 snort.log.1359451140
-rw-r--r-- 1 root root 24 2013-02-10 10:27 snort.log.1360513061
-rw-r--r-- 1 root root  0 2013-02-10 18:29 snort.log.1360542580
-rw-r--r-- 1 root root  0 2013-02-14 19:05 snort.log.1360890316


All right then! As I can see here, the last log file was written in 2013-02-14 (5 days ago) the same day you wrote this!

Code: Select all

-rw-r--r-- 1 root root  0 [b]2013-02-14[/b] 19:05 snort.log.1360890316

So, you have logs.

Next step, is to check if you´re under attack or possibles attack.

Try usin some of those Web Port Scanner, and check (at the WeGUI) if IDS Logs reports anything.

Also, if you cat the snort.log not always show some compreensive test.
Image

Post Reply