Snort PCAP file analysing doesn't write to alert file

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP











up vote
3
down vote

favorite












I'm using snort in my ubuntu 14.04 virtual machine. This is how I installed snort.



sudo apt-get update
sudo apt-get install snort


I haven't change /etc/snort/snort.conf or rules file. They remain as the default and I did PCAP reading using following command.



sudo /usr/sbin/snort -d -l /var/log/snort -c /etc/snort/snort.conf -r /home/navarathna/Downloads/cap2.pcap


The PCAP file is successfully read and a snort.log file is created, but the size of that file is 0 bytes. When I installed snort, there was no alert file in /var/log/snort directory. So I created one and gave owner permission for snort as following.



sudo chown snort.snort alert


After the PCAP reading, both snort.log and alert files have no content (Although the snort.log modified date changes to the last read date and time). Their sizes are 0 bytes. What am I doing wrong here?? Do I need to do some additional changes for rules/snort.conf files?










share|improve this question














bumped to the homepage by Community♦ yesterday


This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.


















    up vote
    3
    down vote

    favorite












    I'm using snort in my ubuntu 14.04 virtual machine. This is how I installed snort.



    sudo apt-get update
    sudo apt-get install snort


    I haven't change /etc/snort/snort.conf or rules file. They remain as the default and I did PCAP reading using following command.



    sudo /usr/sbin/snort -d -l /var/log/snort -c /etc/snort/snort.conf -r /home/navarathna/Downloads/cap2.pcap


    The PCAP file is successfully read and a snort.log file is created, but the size of that file is 0 bytes. When I installed snort, there was no alert file in /var/log/snort directory. So I created one and gave owner permission for snort as following.



    sudo chown snort.snort alert


    After the PCAP reading, both snort.log and alert files have no content (Although the snort.log modified date changes to the last read date and time). Their sizes are 0 bytes. What am I doing wrong here?? Do I need to do some additional changes for rules/snort.conf files?










    share|improve this question














    bumped to the homepage by Community♦ yesterday


    This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.
















      up vote
      3
      down vote

      favorite









      up vote
      3
      down vote

      favorite











      I'm using snort in my ubuntu 14.04 virtual machine. This is how I installed snort.



      sudo apt-get update
      sudo apt-get install snort


      I haven't change /etc/snort/snort.conf or rules file. They remain as the default and I did PCAP reading using following command.



      sudo /usr/sbin/snort -d -l /var/log/snort -c /etc/snort/snort.conf -r /home/navarathna/Downloads/cap2.pcap


      The PCAP file is successfully read and a snort.log file is created, but the size of that file is 0 bytes. When I installed snort, there was no alert file in /var/log/snort directory. So I created one and gave owner permission for snort as following.



      sudo chown snort.snort alert


      After the PCAP reading, both snort.log and alert files have no content (Although the snort.log modified date changes to the last read date and time). Their sizes are 0 bytes. What am I doing wrong here?? Do I need to do some additional changes for rules/snort.conf files?










      share|improve this question













      I'm using snort in my ubuntu 14.04 virtual machine. This is how I installed snort.



      sudo apt-get update
      sudo apt-get install snort


      I haven't change /etc/snort/snort.conf or rules file. They remain as the default and I did PCAP reading using following command.



      sudo /usr/sbin/snort -d -l /var/log/snort -c /etc/snort/snort.conf -r /home/navarathna/Downloads/cap2.pcap


      The PCAP file is successfully read and a snort.log file is created, but the size of that file is 0 bytes. When I installed snort, there was no alert file in /var/log/snort directory. So I created one and gave owner permission for snort as following.



      sudo chown snort.snort alert


      After the PCAP reading, both snort.log and alert files have no content (Although the snort.log modified date changes to the last read date and time). Their sizes are 0 bytes. What am I doing wrong here?? Do I need to do some additional changes for rules/snort.conf files?







      snort pcap






      share|improve this question













      share|improve this question











      share|improve this question




      share|improve this question










      asked Jan 29 '15 at 16:33









      A.M.N.Bandara

      1163




      1163





      bumped to the homepage by Community♦ yesterday


      This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.







      bumped to the homepage by Community♦ yesterday


      This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.






















          1 Answer
          1






          active

          oldest

          votes

















          up vote
          0
          down vote













          It appears that snort does not write the alert log when processing a pcap file, however it should write the correct packet capture log (e.g. /var/log/snort/snort.log.1502097194).



          Since it does not write the alert log, you can get instead get snort to write the alert log messages to syslog using the flag -s (or event log in Windows using -E) e.g.:



          snort -s -l /var/log/snort/ -r /pcaps/example.pcap -c /etc/snort/snort.conf


          You should then see alerts in syslog e.g.:



          $ sudo tail -f /var/log/messages
          Aug 7 09:08:05 snort snort: [1:2101919:23] GPL FTP CWD overflow attempt [Classification: Attempted Administrator Privilege Gain] [Priority: 1] TCP 142.167.88.44:61383 -> 192.168.5.122:21


          In your case, it is likely the snort.log contains no data because there were no alerts triggered. You should be able to confirm this, either by reviewing the syslog or in the summary report afterwards e.g.:



          Action Stats:
          Alerts: 1 ( 5.263%)
          Logged: 1 ( 5.263%)
          Passed: 0 ( 0.000%)





          share|improve this answer






















            Your Answer







            StackExchange.ready(function()
            var channelOptions =
            tags: "".split(" "),
            id: "106"
            ;
            initTagRenderer("".split(" "), "".split(" "), channelOptions);

            StackExchange.using("externalEditor", function()
            // Have to fire editor after snippets, if snippets enabled
            if (StackExchange.settings.snippets.snippetsEnabled)
            StackExchange.using("snippets", function()
            createEditor();
            );

            else
            createEditor();

            );

            function createEditor()
            StackExchange.prepareEditor(
            heartbeatType: 'answer',
            convertImagesToLinks: false,
            noModals: false,
            showLowRepImageUploadWarning: true,
            reputationToPostImages: null,
            bindNavPrevention: true,
            postfix: "",
            onDemand: true,
            discardSelector: ".discard-answer"
            ,immediatelyShowMarkdownHelp:true
            );



            );













             

            draft saved


            draft discarded


















            StackExchange.ready(
            function ()
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f181842%2fsnort-pcap-file-analysing-doesnt-write-to-alert-file%23new-answer', 'question_page');

            );

            Post as a guest






























            1 Answer
            1






            active

            oldest

            votes








            1 Answer
            1






            active

            oldest

            votes









            active

            oldest

            votes






            active

            oldest

            votes








            up vote
            0
            down vote













            It appears that snort does not write the alert log when processing a pcap file, however it should write the correct packet capture log (e.g. /var/log/snort/snort.log.1502097194).



            Since it does not write the alert log, you can get instead get snort to write the alert log messages to syslog using the flag -s (or event log in Windows using -E) e.g.:



            snort -s -l /var/log/snort/ -r /pcaps/example.pcap -c /etc/snort/snort.conf


            You should then see alerts in syslog e.g.:



            $ sudo tail -f /var/log/messages
            Aug 7 09:08:05 snort snort: [1:2101919:23] GPL FTP CWD overflow attempt [Classification: Attempted Administrator Privilege Gain] [Priority: 1] TCP 142.167.88.44:61383 -> 192.168.5.122:21


            In your case, it is likely the snort.log contains no data because there were no alerts triggered. You should be able to confirm this, either by reviewing the syslog or in the summary report afterwards e.g.:



            Action Stats:
            Alerts: 1 ( 5.263%)
            Logged: 1 ( 5.263%)
            Passed: 0 ( 0.000%)





            share|improve this answer


























              up vote
              0
              down vote













              It appears that snort does not write the alert log when processing a pcap file, however it should write the correct packet capture log (e.g. /var/log/snort/snort.log.1502097194).



              Since it does not write the alert log, you can get instead get snort to write the alert log messages to syslog using the flag -s (or event log in Windows using -E) e.g.:



              snort -s -l /var/log/snort/ -r /pcaps/example.pcap -c /etc/snort/snort.conf


              You should then see alerts in syslog e.g.:



              $ sudo tail -f /var/log/messages
              Aug 7 09:08:05 snort snort: [1:2101919:23] GPL FTP CWD overflow attempt [Classification: Attempted Administrator Privilege Gain] [Priority: 1] TCP 142.167.88.44:61383 -> 192.168.5.122:21


              In your case, it is likely the snort.log contains no data because there were no alerts triggered. You should be able to confirm this, either by reviewing the syslog or in the summary report afterwards e.g.:



              Action Stats:
              Alerts: 1 ( 5.263%)
              Logged: 1 ( 5.263%)
              Passed: 0 ( 0.000%)





              share|improve this answer
























                up vote
                0
                down vote










                up vote
                0
                down vote









                It appears that snort does not write the alert log when processing a pcap file, however it should write the correct packet capture log (e.g. /var/log/snort/snort.log.1502097194).



                Since it does not write the alert log, you can get instead get snort to write the alert log messages to syslog using the flag -s (or event log in Windows using -E) e.g.:



                snort -s -l /var/log/snort/ -r /pcaps/example.pcap -c /etc/snort/snort.conf


                You should then see alerts in syslog e.g.:



                $ sudo tail -f /var/log/messages
                Aug 7 09:08:05 snort snort: [1:2101919:23] GPL FTP CWD overflow attempt [Classification: Attempted Administrator Privilege Gain] [Priority: 1] TCP 142.167.88.44:61383 -> 192.168.5.122:21


                In your case, it is likely the snort.log contains no data because there were no alerts triggered. You should be able to confirm this, either by reviewing the syslog or in the summary report afterwards e.g.:



                Action Stats:
                Alerts: 1 ( 5.263%)
                Logged: 1 ( 5.263%)
                Passed: 0 ( 0.000%)





                share|improve this answer














                It appears that snort does not write the alert log when processing a pcap file, however it should write the correct packet capture log (e.g. /var/log/snort/snort.log.1502097194).



                Since it does not write the alert log, you can get instead get snort to write the alert log messages to syslog using the flag -s (or event log in Windows using -E) e.g.:



                snort -s -l /var/log/snort/ -r /pcaps/example.pcap -c /etc/snort/snort.conf


                You should then see alerts in syslog e.g.:



                $ sudo tail -f /var/log/messages
                Aug 7 09:08:05 snort snort: [1:2101919:23] GPL FTP CWD overflow attempt [Classification: Attempted Administrator Privilege Gain] [Priority: 1] TCP 142.167.88.44:61383 -> 192.168.5.122:21


                In your case, it is likely the snort.log contains no data because there were no alerts triggered. You should be able to confirm this, either by reviewing the syslog or in the summary report afterwards e.g.:



                Action Stats:
                Alerts: 1 ( 5.263%)
                Logged: 1 ( 5.263%)
                Passed: 0 ( 0.000%)






                share|improve this answer














                share|improve this answer



                share|improve this answer








                edited Aug 7 '17 at 9:29

























                answered Aug 7 '17 at 9:24









                Peter Gallagher

                11




                11



























                     

                    draft saved


                    draft discarded















































                     


                    draft saved


                    draft discarded














                    StackExchange.ready(
                    function ()
                    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f181842%2fsnort-pcap-file-analysing-doesnt-write-to-alert-file%23new-answer', 'question_page');

                    );

                    Post as a guest













































































                    Popular posts from this blog

                    How to check contact read email or not when send email to Individual?

                    Displaying single band from multi-band raster using QGIS

                    How many registers does an x86_64 CPU actually have?