Snort PCAP file analysing doesn't write to alert file
Clash Royale CLAN TAG#URR8PPP
up vote
3
down vote
favorite
I'm using snort in my ubuntu 14.04 virtual machine. This is how I installed snort.
sudo apt-get update
sudo apt-get install snort
I haven't change /etc/snort/snort.conf or rules file. They remain as the default and I did PCAP reading using following command.
sudo /usr/sbin/snort -d -l /var/log/snort -c /etc/snort/snort.conf -r /home/navarathna/Downloads/cap2.pcap
The PCAP file is successfully read and a snort.log file is created, but the size of that file is 0 bytes. When I installed snort, there was no alert file in /var/log/snort directory. So I created one and gave owner permission for snort as following.
sudo chown snort.snort alert
After the PCAP reading, both snort.log and alert files have no content (Although the snort.log modified date changes to the last read date and time). Their sizes are 0 bytes. What am I doing wrong here?? Do I need to do some additional changes for rules/snort.conf files?
snort pcap
asked Jan 29 '15 at 16:33
A.M.N.Bandara
1163
bumped to the homepage by Community♦ yesterday
This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.
add a comment |Â
up vote
3
down vote
favorite
I'm using snort in my ubuntu 14.04 virtual machine. This is how I installed snort.
sudo apt-get update
sudo apt-get install snort
I haven't change /etc/snort/snort.conf or rules file. They remain as the default and I did PCAP reading using following command.
sudo /usr/sbin/snort -d -l /var/log/snort -c /etc/snort/snort.conf -r /home/navarathna/Downloads/cap2.pcap
The PCAP file is successfully read and a snort.log file is created, but the size of that file is 0 bytes. When I installed snort, there was no alert file in /var/log/snort directory. So I created one and gave owner permission for snort as following.
sudo chown snort.snort alert
After the PCAP reading, both snort.log and alert files have no content (Although the snort.log modified date changes to the last read date and time). Their sizes are 0 bytes. What am I doing wrong here?? Do I need to do some additional changes for rules/snort.conf files?
snort pcap
asked Jan 29 '15 at 16:33
A.M.N.Bandara
1163
bumped to the homepage by Community♦ yesterday
This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.
add a comment |Â
up vote
3
down vote
favorite
up vote
3
down vote
favorite
I'm using snort in my ubuntu 14.04 virtual machine. This is how I installed snort.
sudo apt-get update
sudo apt-get install snort
I haven't change /etc/snort/snort.conf or rules file. They remain as the default and I did PCAP reading using following command.
sudo /usr/sbin/snort -d -l /var/log/snort -c /etc/snort/snort.conf -r /home/navarathna/Downloads/cap2.pcap
The PCAP file is successfully read and a snort.log file is created, but the size of that file is 0 bytes. When I installed snort, there was no alert file in /var/log/snort directory. So I created one and gave owner permission for snort as following.
sudo chown snort.snort alert
After the PCAP reading, both snort.log and alert files have no content (Although the snort.log modified date changes to the last read date and time). Their sizes are 0 bytes. What am I doing wrong here?? Do I need to do some additional changes for rules/snort.conf files?
snort pcap
asked Jan 29 '15 at 16:33
A.M.N.Bandara
1163
I'm using snort in my ubuntu 14.04 virtual machine. This is how I installed snort.
sudo apt-get update
sudo apt-get install snort
I haven't change /etc/snort/snort.conf or rules file. They remain as the default and I did PCAP reading using following command.
sudo /usr/sbin/snort -d -l /var/log/snort -c /etc/snort/snort.conf -r /home/navarathna/Downloads/cap2.pcap
The PCAP file is successfully read and a snort.log file is created, but the size of that file is 0 bytes. When I installed snort, there was no alert file in /var/log/snort directory. So I created one and gave owner permission for snort as following.
sudo chown snort.snort alert
After the PCAP reading, both snort.log and alert files have no content (Although the snort.log modified date changes to the last read date and time). Their sizes are 0 bytes. What am I doing wrong here?? Do I need to do some additional changes for rules/snort.conf files?
snort pcap
snort pcap
asked Jan 29 '15 at 16:33
A.M.N.Bandara
1163
asked Jan 29 '15 at 16:33
A.M.N.Bandara
1163
asked Jan 29 '15 at 16:33
A.M.N.Bandara
1163
asked Jan 29 '15 at 16:33
A.M.N.Bandara
1163
asked Jan 29 '15 at 16:33
A.M.N.Bandara
1163
1163
bumped to the homepage by Community♦ yesterday
This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.
bumped to the homepage by Community♦ yesterday
This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.
add a comment |Â
add a comment |Â
1 Answer
1
active
oldest
votes
up vote
0
down vote
It appears that snort does not write the alert log when processing a pcap file, however it should write the correct packet capture log (e.g. /var/log/snort/snort.log.1502097194).
Since it does not write the alert log, you can get instead get snort to write the alert log messages to syslog using the flag -s (or event log in Windows using -E) e.g.:
snort -s -l /var/log/snort/ -r /pcaps/example.pcap -c /etc/snort/snort.conf
You should then see alerts in syslog e.g.:
$ sudo tail -f /var/log/messages
Aug 7 09:08:05 snort snort: [1:2101919:23] GPL FTP CWD overflow attempt [Classification: Attempted Administrator Privilege Gain] [Priority: 1] TCP 142.167.88.44:61383 -> 192.168.5.122:21
In your case, it is likely the snort.log contains no data because there were no alerts triggered. You should be able to confirm this, either by reviewing the syslog or in the summary report afterwards e.g.:
Action Stats:
Alerts: 1 ( 5.263%)
Logged: 1 ( 5.263%)
Passed: 0 ( 0.000%)
answered Aug 7 '17 at 9:24
Peter Gallagher
11
add a comment |Â
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
0
down vote
It appears that snort does not write the alert log when processing a pcap file, however it should write the correct packet capture log (e.g. /var/log/snort/snort.log.1502097194).
Since it does not write the alert log, you can get instead get snort to write the alert log messages to syslog using the flag -s (or event log in Windows using -E) e.g.:
snort -s -l /var/log/snort/ -r /pcaps/example.pcap -c /etc/snort/snort.conf
You should then see alerts in syslog e.g.:
$ sudo tail -f /var/log/messages
Aug 7 09:08:05 snort snort: [1:2101919:23] GPL FTP CWD overflow attempt [Classification: Attempted Administrator Privilege Gain] [Priority: 1] TCP 142.167.88.44:61383 -> 192.168.5.122:21
In your case, it is likely the snort.log contains no data because there were no alerts triggered. You should be able to confirm this, either by reviewing the syslog or in the summary report afterwards e.g.:
Action Stats:
Alerts: 1 ( 5.263%)
Logged: 1 ( 5.263%)
Passed: 0 ( 0.000%)
answered Aug 7 '17 at 9:24
Peter Gallagher
11
add a comment |Â
up vote
0
down vote
It appears that snort does not write the alert log when processing a pcap file, however it should write the correct packet capture log (e.g. /var/log/snort/snort.log.1502097194).
Since it does not write the alert log, you can get instead get snort to write the alert log messages to syslog using the flag -s (or event log in Windows using -E) e.g.:
snort -s -l /var/log/snort/ -r /pcaps/example.pcap -c /etc/snort/snort.conf
You should then see alerts in syslog e.g.:
$ sudo tail -f /var/log/messages
Aug 7 09:08:05 snort snort: [1:2101919:23] GPL FTP CWD overflow attempt [Classification: Attempted Administrator Privilege Gain] [Priority: 1] TCP 142.167.88.44:61383 -> 192.168.5.122:21
In your case, it is likely the snort.log contains no data because there were no alerts triggered. You should be able to confirm this, either by reviewing the syslog or in the summary report afterwards e.g.:
Action Stats:
Alerts: 1 ( 5.263%)
Logged: 1 ( 5.263%)
Passed: 0 ( 0.000%)
answered Aug 7 '17 at 9:24
Peter Gallagher
11
add a comment |Â
up vote
0
down vote
up vote
0
down vote
It appears that snort does not write the alert log when processing a pcap file, however it should write the correct packet capture log (e.g. /var/log/snort/snort.log.1502097194).
Since it does not write the alert log, you can get instead get snort to write the alert log messages to syslog using the flag -s (or event log in Windows using -E) e.g.:
snort -s -l /var/log/snort/ -r /pcaps/example.pcap -c /etc/snort/snort.conf
You should then see alerts in syslog e.g.:
$ sudo tail -f /var/log/messages
Aug 7 09:08:05 snort snort: [1:2101919:23] GPL FTP CWD overflow attempt [Classification: Attempted Administrator Privilege Gain] [Priority: 1] TCP 142.167.88.44:61383 -> 192.168.5.122:21
In your case, it is likely the snort.log contains no data because there were no alerts triggered. You should be able to confirm this, either by reviewing the syslog or in the summary report afterwards e.g.:
Action Stats:
Alerts: 1 ( 5.263%)
Logged: 1 ( 5.263%)
Passed: 0 ( 0.000%)
answered Aug 7 '17 at 9:24
Peter Gallagher
11
It appears that snort does not write the alert log when processing a pcap file, however it should write the correct packet capture log (e.g. /var/log/snort/snort.log.1502097194).
Since it does not write the alert log, you can get instead get snort to write the alert log messages to syslog using the flag -s (or event log in Windows using -E) e.g.:
snort -s -l /var/log/snort/ -r /pcaps/example.pcap -c /etc/snort/snort.conf
You should then see alerts in syslog e.g.:
$ sudo tail -f /var/log/messages
Aug 7 09:08:05 snort snort: [1:2101919:23] GPL FTP CWD overflow attempt [Classification: Attempted Administrator Privilege Gain] [Priority: 1] TCP 142.167.88.44:61383 -> 192.168.5.122:21
In your case, it is likely the snort.log contains no data because there were no alerts triggered. You should be able to confirm this, either by reviewing the syslog or in the summary report afterwards e.g.:
Action Stats:
Alerts: 1 ( 5.263%)
Logged: 1 ( 5.263%)
Passed: 0 ( 0.000%)
answered Aug 7 '17 at 9:24
Peter Gallagher
11
edited Aug 7 '17 at 9:29
answered Aug 7 '17 at 9:24
Peter Gallagher
11
answered Aug 7 '17 at 9:24
Peter Gallagher
11
answered Aug 7 '17 at 9:24
Peter Gallagher
11
11
add a comment |Â
add a comment |Â
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f181842%2fsnort-pcap-file-analysing-doesnt-write-to-alert-file%23new-answer', 'question_page');
);
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
