Page 1 of 3

[SOLVED] no IDS logs??

Posted: February 10th, 2013, 10:11 pm
by axel2078
For some reason, my system doesn't seem to be logging for IDS.  I have verified that on the IDS page, RED Snort is checked, as well as Guardian.  The Guardian config is below:

Interface: red0
Tmelimit: 86400
Logfile: /var/log/guardian/guardian.log
Alertfile: /var/log/snort/alert
Ignorefile: empty

Under the IDS rules section, I have 24 rules selected.  Whenever I go to Logs > IDS Logs, it's always empty (no logs) no matter what day I select.  I find this odd because when I was running Smoothwall on this same machine, there were always IDS logs present.  Is something wrong with my configuration?

Re: no IDS logs??

Posted: February 10th, 2013, 10:39 pm
by BeBiMa
If you look from a shell: Are the files empty?

Re: no IDS logs??

Posted: February 10th, 2013, 10:49 pm
by axel2078
Yes, they are emtpy. The guardian log has entries about receiving the kill signal from some reboots I did, but that's it.

Re: no IDS logs??

Posted: February 11th, 2013, 12:09 am
by axel2078
If it makes a difference, I am using Sourcefire VRT rules for registered users and my rules were last updated Jan. 24th. Is this a common problem with IPfire? I've seen other posts about it with no solution given, like this one. http://forum.ipfire.org/index.php/topic,6288.30.html

Re: no IDS logs??

Posted: February 14th, 2013, 4:03 pm
by axel2078
Anyone? Surely this can be resolved somehow. The Guardian add-on is essentially useless if there are no logs for it to act on.

Re: no IDS logs??

Posted: February 14th, 2013, 5:26 pm
by andremorro
Hi aexel2078

I´ve done a few tests here (in both servers) and they both seem to be filling up my logs.

I remebered once I had a problem with a few rules and cuz' of that snort never started.

Just to be sure, have you tryed stop and start snort to see if there´s any "failure" about rules? (terminal mode, or putty).

Kill snort processes and:

Code: Select all

/usr/sbin/snort -c /etc/snort/snort.conf -i red0


and

Code: Select all

/usr/sbin/snort -c /etc/snort/snort.conf -i green0


If everything is okay, just should appear:

Code: Select all

        --== Initialization Complete ==--

   ,,_     -*> Snort! <*-
  o"  )~   Version 2.9.3.1 IPv6 GRE (Build 40)
   ''''    By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-team
           Copyright (C) 1998-2012 Sourcefire, Inc., et al.
           Using libpcap version 1.0.0
           Using PCRE version: 7.7 2008-05-07
           Using ZLIB version: 1.2.3

           Rules Engine: SF_SNORT_DETECTION_ENGINE  Version 1.16  <Build 18>
           Preprocessor Object: SF_SIP (IPV6)  Version 1.1  <Build 1>
           Preprocessor Object: SF_SSLPP (IPV6)  Version 1.1  <Build 4>
           Preprocessor Object: SF_DCERPC2 (IPV6)  Version 1.0  <Build 3>
           Preprocessor Object: SF_IMAP (IPV6)  Version 1.0  <Build 1>
           Preprocessor Object: SF_SDF (IPV6)  Version 1.1  <Build 1>
           Preprocessor Object: SF_DNS (IPV6)  Version 1.1  <Build 4>
           Preprocessor Object: SF_GTP (IPV6)  Version 1.1  <Build 1>
           Preprocessor Object: SF_SMTP (IPV6)  Version 1.1  <Build 9>
           Preprocessor Object: SF_REPUTATION (IPV6)  Version 1.1  <Build 1>
           Preprocessor Object: SF_FTPTELNET (IPV6)  Version 1.2  <Build 13>
           Preprocessor Object: SF_DNP3 (IPV6)  Version 1.1  <Build 1>
           Preprocessor Object: SF_MODBUS (IPV6)  Version 1.1  <Build 1>
           Preprocessor Object: SF_SSH (IPV6)  Version 1.1  <Build 3>
           Preprocessor Object: SF_POP (IPV6)  Version 1.0  <Build 1>
Commencing packet processing (pid=16032)

Re: no IDS logs??

Posted: February 14th, 2013, 7:18 pm
by axel2078
I haven't tried this, but I will. What's the correct syntax to stop and start snort from the command line?

Re: no IDS logs??

Posted: February 15th, 2013, 1:07 am
by axel2078
I killed snort and ran the command you gave and it did yield the output you showed, plus a lot more before it. I restarted snort and took a look at the contents of the snort directory and as you can see, nothing is being written to any log.

-rw-r--r-- 1 root root  0 2013-02-10 00:01 alert
-rw-r--r-- 1 root root  0 2013-02-10 00:01 alert.1
-rw-r--r-- 1 root root 20 2013-02-03 00:02 alert.2.gz
-rw-r--r-- 1 root root  0 2013-01-28 23:49 snort.log.1359438562
-rw-r--r-- 1 root root  0 2013-01-28 23:49 snort.log.1359438583
-rw-r--r-- 1 root root  0 2013-01-29 03:12 snort.log.1359450779
-rw-r--r-- 1 root root  0 2013-01-29 03:13 snort.log.1359450800
-rw-r--r-- 1 root root  0 2013-01-29 03:18 snort.log.1359451118
-rw-r--r-- 1 root root  0 2013-01-29 03:19 snort.log.1359451140
-rw-r--r-- 1 root root 24 2013-02-10 10:27 snort.log.1360513061
-rw-r--r-- 1 root root  0 2013-02-10 18:29 snort.log.1360542580
-rw-r--r-- 1 root root  0 2013-02-14 19:05 snort.log.1360890316

Re: no IDS logs??

Posted: February 15th, 2013, 7:15 pm
by telserv
I have the same issue. 

There are Snort logs, but aren't in text format, so I can't read them.  Snort is outputting messages to the syslog server, so it is working, but not showing IPfire IDS logs of those same events.

This may or may not be related.  The log summary page shows "No (or only partial) logs exist for the day queried: /var/log/logwatch/2013-02-14 could not be opened."  When I checked the /var/log/logwatch directory, there are no entries in it since the day the system was installed (end January).  This is a ver 2.11 new install, and I'm having a lot of fun with it  ;D

Re: no IDS logs??

Posted: February 15th, 2013, 9:29 pm
by axel2078
Mine is a brand new installation as well and I'm kind of surprised that this doesn't work. Does it depend on which rule sets you choose for snort or something? I don't get it.

Re: no IDS logs??

Posted: February 17th, 2013, 7:42 pm
by axel2078
I noticed this in /var/log/messages.  Does this indicate a problem with snort?

Feb 17 07:53:00 ipfire snort[4919]: S5: Session exceeded configured max bytes to queue 1048576 using 1049204 bytes (client queue). 75.132.x.x 60511 --> 108.175.38.100 80 (0) : LWstate 0x9 LWFlags 0x406007
Feb 17 08:15:03 ipfire snort[4919]: S5: Pruned session from cache that was using 1165364 bytes (closed normally). 75.132.x.x 60511 --> 108.175.38.100 80 (0) : LWstate 0x9 LWFlags 0x60e007
Feb 17 11:22:55 ipfire snort[4919]: S5: Session exceeded configured max bytes to queue 1048576 using 1049424 bytes (client queue). 75.132.x.x 33319 --> 108.175.38.93 80 (0) : LWstate 0x9 LWFlags 0x406007
Feb 17 11:40:21 ipfire snort[4919]: S5: Pruned session from cache that was using 1167344 bytes (closed normally). 75.132.x.x 33319 --> 108.175.38.93 80 (0) : LWstate 0x9 LWFlags 0x60e007
Feb 17 11:51:41 ipfire snort[4919]: S5: Session exceeded configured max bytes to queue 1048576 using 1048758 bytes (client queue). 75.132.x.x 38976 --> 108.175.39.141 80 (0) : LWstate 0x9 LWFlags 0x406007

Re: no IDS logs??

Posted: February 18th, 2013, 2:21 pm
by Arne.F
Maybee there is a bug in snort. Or you have not enough memory.

no IDS logs??

Posted: February 18th, 2013, 3:27 pm
by axel2078
Arne.F wrote:Maybee there is a bug in snort. Or you have not enough memory.


2 GB isn't enough?

Re: no IDS logs??

Posted: February 19th, 2013, 1:04 am
by telserv
Arne.F wrote:Maybee there is a bug in snort.


Actually axel2078, the suggestion that the problem could be in Snort may be worth investigation.  That is, if someone could suggest how we go about that?  How can we eliminate snort as the cause of the problem? 

Re: no IDS logs??

Posted: February 19th, 2013, 12:28 pm
by andremorro
axel2078 wrote:I killed snort and ran the command you gave and it did yield the output you showed, plus a lot more before it. I restarted snort and took a look at the contents of the snort directory and as you can see, nothing is being written to any log.

-rw-r--r-- 1 root root  0 2013-02-10 00:01 alert
-rw-r--r-- 1 root root  0 2013-02-10 00:01 alert.1
-rw-r--r-- 1 root root 20 2013-02-03 00:02 alert.2.gz
-rw-r--r-- 1 root root  0 2013-01-28 23:49 snort.log.1359438562
-rw-r--r-- 1 root root  0 2013-01-28 23:49 snort.log.1359438583
-rw-r--r-- 1 root root  0 2013-01-29 03:12 snort.log.1359450779
-rw-r--r-- 1 root root  0 2013-01-29 03:13 snort.log.1359450800
-rw-r--r-- 1 root root  0 2013-01-29 03:18 snort.log.1359451118
-rw-r--r-- 1 root root  0 2013-01-29 03:19 snort.log.1359451140
-rw-r--r-- 1 root root 24 2013-02-10 10:27 snort.log.1360513061
-rw-r--r-- 1 root root  0 2013-02-10 18:29 snort.log.1360542580
-rw-r--r-- 1 root root  0 2013-02-14 19:05 snort.log.1360890316


All right then! As I can see here, the last log file was written in 2013-02-14 (5 days ago) the same day you wrote this!

Code: Select all

-rw-r--r-- 1 root root  0 [b]2013-02-14[/b] 19:05 snort.log.1360890316

So, you have logs.

Next step, is to check if you´re under attack or possibles attack.

Try usin some of those Web Port Scanner, and check (at the WeGUI) if IDS Logs reports anything.

Also, if you cat the snort.log not always show some compreensive test.