SNORT FAQ



SNORT FAQ



$Id: FAQ,v 1.13 2002/03/05 06:04:11 cazz Exp $

Suggestions for enhancements of this document are
always welcome please email them to Dragos Ruiu at 
dr@kyx.net

The following people have contributed to this faq:

Marty Roesch
Fyodor Yarochkin
Dragos Ruiu
Jed Pickel
Max Vision
Michael Davis
Joe McAlerney
Joe Stewart
Erek Adams
Roman Danyliw
Christopher Cramer
Frank Knobbe
Phil Wood   
Toby Kohlenberg
Ramin Alidousti
Jim Hankins
Dennis Hollingworth
Paul Howell 
Stef Mit    
Ofir Arkin
Jason Haar
Blake Frantz
Lars Norman Søndergaard
Brent Erickson
Brian Caswell

-----------------------------------------------------------------------------


Frequently Asked Questions about "snort"


Section 1: Snort Background
--------------------------
1.1 Q:  How do you pronounce the names of some of these guys who work on snort?
1.2 Q:  Is Fyodor Yarochkin the same Fyodor who wrote nmap?
1.3 Q:  Where do I get more help on snort?
1.4 Q:  Where can I get more reading and courses about IDS?
1.5 Q:  Does Snort handle IP defragmentation?
1.6 Q:  Does Snort perform TCP stream reassembly? 
1.7 Q:  Does Snort do stateful protocol analysis?
1.8 Q:  I'm on a switched network, can I still use Snort?
1.9 Q:  I've heard IDSes are vulnerable to noise generators like "Stick" and 
       "Snot".  Is snort vulnerable?
1.10 Q:  I've heard it is possible to use polymorphic mutators on shellcode?
1.11 Q:  Does Snort log the full packets that it generates alerts? 

Section 2: Getting Started
--------------------------
2.1 Q:  How do I run snort?
2.2 Q:  Where are my log files located?  What are they named?
2.3 Q:  Where's a good place to physically put a Snort sensor?
2.4 Q:  Libpcap complains about permissions problems, what's going on?
2.5 Q:  Why does snort complain about /var/log/snort?
2.6 Q:  I've got RedHat and ....
2.7 Q:  Where do I get the latest version of libpcap?
2.8 Q:  Why does building snort complain about missing references?
2.9 Q:  Why does building snort fail with errors about yylex and lex_init?
2.10 Q:  I Want to build a snort box.  Will this <Insert List> handle 
          <this much> traffic?
2.11 Q:  What are CIDR netmasks?
2.12 Q:  What is the use of the "-r" switch to read tcpdump files? 

Section 3: Configuring Snort
----------------------------
3.1 Q:  How do I setup snort on a 'stealth' interface?
3.2 Q:  How do I run snort on an interface with no IP address?
3.3 Q:  My network spans multiple subnets.  How do I define HOME_NET?
3.4 Q:  How can I run snort on multiple interfaces simultaneously?
3.5 Q:  IP address is assigned dynamically to my interface, can I use snort 
       with it?
3.6 Q:  I have one network card and two aliases, how can I force snort to 
       "listen" on both addresses ? 
3.7 Q:  How do I ignore traffic coming from a particular host or hosts?
3.8 Q:  How do I get Snort to log the packet payload as well as the header? 
3.9 Q:  Why are there no subdirectories under /var/log/snort for IP addresses?
3.10 Q:  How do you get snort to ignore some traffic?
3.11 Q:  Why does the portscan plugin log "stealth" packets even though the 
        host is in the portscan-ignorehosts list?
3.12 Q:  Which takes precedence, commandline or rule file ?
3.13 Q:  How does rule ordering work?
3.14 Q:  How do I configure stream4?
3.15 Q:  Where does one obtain new/modifed rules? How do you merge them in?
3.16 Q:  How do you get the latest snort via cvs?

Section 4: Snort Rules and Alerts
---------------------------------
4.1 Q:  When I start snort I get errors from my rules files
4.2 Q:  Snort says "Rule IP addr ("1.1.1.1") didn't x-late, WTF?"
4.3 Q:  Snort is behind a firewall (ipf/pf/ipchains/ipfilter) and awfully 
       quiet...
4.4 Q:  I'm getting large amounts of some alerts type. What should I do?  Where
       can I go to find out more about it?
4.5 Q:  What about all these false alarms?
4.6 Q:  What are all these ICMP files in subdirectories under /var/log/snort?
4.7 Q:  Why does the program generate alerts on packets that have pass rules? 
4.8 Q:  What are all these "ICMP destination unreachable" alerts?
4.9 Q:  Why do many snort rules have the flags P (TCP PuSH) and A (TCP ACK) set?
4.10 Q:  What are these IDS codes in the alert names?
4.11 Q:  Snort says BACKDOOR SIGNATURE... does my machine have a Trojan?
4.12 Q:  What about "CGI Null Byte attacks"?
4.13 Q:  Why do certain alerts seem to have 'unknown' IPs in ACID?
4.14 Q:  Can priorities be assigned to Alerts using ACID? 
4.15 Q:  What about 'SMB Name Wildcard' alerts?
4.16 Q:  What the heck is a SYNFIN scan?
4.17 Q:  I am getting too many "IIS Unicode attack detected" and/or "CGI Null 
        Byte attack detected" false positives.  How can I turn this detection 
        off?
4.18 Q:  How do I test snort alerts and logging?

Section 5: Getting Fancy
------------------------
5.1 Q:  How do I process those snort logs into HTML reports?
5.2 Q:  How do I log to multiple databases?
5.3 Q:  How can I test snort without having an ethnernet card or a connection 
       to other computers? 
5.4 Q:  How to start snort as a win32 service?
5.5 Q:  Is it possible with snort to add a ipfilter/ipfw rule to a firewall?
5.6 Q:  Snort complains about the "react" keyword...
5.7 Q:  How do I get snort to e-mail me alerts?
5.8 Q:  How do I log a specific type of traffic and send alerts to syslog?
5.9 Q:  Is it possible to have snort call an external program when an alert 
       is raised?   

Section 6: Problems
-------------------
6.1 Q:  I think I found a bug in snort. Now what?
6.2 Q:  SMB alerts aren't working, what's wrong? 
6.3 Q:  Snort says "Garbage Packet with Null Pointer discarded!". Huh?
6.4 Q:  Snort says "Ran Out Of Space". Huh?
6.5 Q:  I'm having problems getting snort to log to a database...
6.6 Q:  My ACID db connection times-out when performing long operations (e.g.
       deleting a large number of alerts) 
6.7 Q:  Why does snort report "Packet loss statistics are unavailable under 
       Linux"?
6.8 Q:  My /var/log/snort directory get very large...
6.9 Q:  Why does the 'error deleting alert' message occur when attempting to 
       delete an alert with ACIO? 
6.10 Q:  ACID appears to be broken in Lynx 
6.11 Q:  I am getting 'snort [pid] uses obsolete (PF_INET, SOCK_PACKET)' 
        warnings, what's wrong.
6.12 Q:  on HPUX I get device lan0 open: recv_ack: promisc_phys: Invalid 
        argument
6.13 Q:  I am getting snort dying with 'can not create file' error and I have 
        plenty of diskspace, what's wrong?
6.14 Q:  I am using Snort on Windows and receive an OpenPcap() error upon 
        startup:
6.15 Q:  Snort is not logging to my database
6.16 Q:  Portscans are not being logged to my database
6.17 Q:  Snort is not logging to syslog
6.18 Q:  I am still getting bombarded with spp_portscan messages even though 
        the IP that I am getting the portscan from is in my $DNS_SERVERs var
6.19 Q:  Why chrooted snort die when I send it a SIGHUP? 
6.20 Q:  My snort crashes, how do I restart it? 
6.21 Q:  Why can't snort see one of either the 10Mbps or 100Mbps traffic on my 
        autoswitch hub

--faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--

***************************************
Section 1: SNORT BACKGROUND

*************************************** 1.1 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--

Q: How do you pronounce the names of some of these guys who work on snort? A: For the record, 'Roesch' is pronounced like 'fresh' without the 'f'. Additionally, 'Ruiu' is pronounced like 'screw you' without the 'sc'. And Jed's last name is like "pick-el", not "pickle". :) 1.2 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--

Q: Is Fyodor Yarochkin the same Fyodor who wrote nmap? A: Nope. fyodor@insecure.org is the author of nmap, and he uses the same pseudonym as other snort Fyodor's real surname. Yeah, messes up my mailbox too, but I think it's too late to change either of them :-). 1.3 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--

Q: Where do I get more help on snort? A: Check the website, http://www.snort.org. Other good resources are are available in the source distribution, including the Snort Users Manual (SnortUsersManual.pdf) and the USAGE file. 1.4 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--

Q: Where can I get more reading and courses about IDS? A: SANS, USENIX and Networld/Interop offer courses on Intrusion detection. http://www.sans.org http://www.usenix.org/event/ http://www.key3media.com/interop/ Many good books on Intrusion detection are available. Included is just a few: Network Intrusion Detection An Analyst's Handbook By Stephen Northcutt ISBN 0735708681 TCP/IP Illustrated, Volume 1 The Protocols By W. Richard Stevens ISBN 0201633469 Intrusion Detection By Rebecca G. Bace ISBN 1578701856 1.5 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--

Q: Does Snort handle IP defragmentation? A: Yes, use "preprocessor frag2" or "preprocessor defrag" or "preprocessor defrag2" Each has slightly different capabilities. 1.6 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--

Q: Does Snort perform TCP stream reassembly? A: Yes, check out the stream4 preprocessor that does stateful analysis session loggin, tcp reassembly and much much more... Check the FAQ question on configuring stream4. 1.7 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--

Q: Does Snort perform stateful protocol analysis? A: Yes, Check out SNORT FAQ #1.6 1.8 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--

Q: I'm on a switched network, can I still use Snort? A: Being able to sniff on a switched network depends on what type of switch is being used. If the switch can mirror traffic, then set the switch to mirror all traffic to the snort machine's port. 1.9 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--

Q: I've heard IDSes are vulnerable to noise generators like "Stick" and "Snot". Is snort vulnerable to these types of attacks? A: It is now possible to defeat these kinds of noise generators with the stream4 preprocessor. Even without the stream4 preprocessor enabled, snort will weather the alert storm without falling over or losing a lot of alerts due to its highly optimized nature. Using tools that generate huge amounts of alerts will warn a good analyist that someone is trying to sneak by their defenses. 1.10 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--

Q: I've heard it is possible to use polymorphic mutators on shellcode? A: Yes, and this could defeat some of the NOP sled detection signatures but the ordinary exploit rules should not be affected by this kind of obfuscation. The SPACE statistical anomaly detector may detect some of these attacks. A number of other defenses are being worked on and should be ready by 2.0. 1.11 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--

Q: Does Snort log the full packets that it generates alerts? A: Yes, the packets should be in the directory that has the same IP address as the source host of the packet which generated the alert. --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq-- *************************************** Section 2: GETTING STARTED *************************************** 2.1 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--

Q: How do I run snort? A: Run Snort in sniffer mode (snort -dvi eth0) and make sure it can see the packets. Then run it with the HOME_NET set appropriately for the network you're defending in your rules file. A default rules file comes with the snort distribution and is called "snort.conf" You can run this basic ruleset with the following command line: snort -A full -c snort.conf If it's all set right, once it's running do an "ifconfig -a" and make sure the interface is in promiscuous mode (it'll say so in the options section of the printout). If it's not, there should be a way to set it manually. 2.2 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--

Q: Where are my log files located? What are they named? A: The default location for logs is /var/log/snort. If snort is started with "-l <directory>", then the logs will be located in the directory specified. In the past, running Snort in daemon mode (-D) produced a file named "snort.alert". For consistency sake, this has been changed. Running Snort in both standard or daemon modes (-D) will produce a file named "alert". 2.3 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--

Q: Where's a good place to physically put a Snort sensor? A: This is going to be heavily influenced by your organizations policy, and what you want to detect. One way of looking at it is determining if you want to place it inside or outside your firewall. Placing an IDS outside of your firewall will allow you monitor all attacks directed at your network, regardless of whether or not they are stopped at the firewall. This almost certainly means that the IDS will pick up on more events than an IDS inside the firewall, and hence more logs will be generated. Place an IDS inside your firewall if you are only interested in monitoring traffic that your firewall let pass. If resources permit, it may be best to place one IDS outside and one IDS inside of your firewall. This way you can watch for everything directed at your network, and anything that made it's way in. 2.4 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--

Q: Libpcap complains about permissions problems, what's going on? A: You are not running snort as root or your kernel is not configured correctly. 2.5 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--

Q: Why does snort complain about /var/log/snort? A: It requires this directory to log alerts to it. Use: mkdir /var/log/snort Make sure the logging directory is owned by the user snort is running as. 2.6 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--

Q: I've got RedHat and .... A: Check your version of libpcap. :) If it's not >= 0.5, then you should update. 2.7 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--

Q: Where do I get the latest version of libpcap? A: http://www.tcpdump.org/ 2.8 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--

Q: Why does building snort complain about missing references? A: You must make libpcap with the --install-incl option or install the libpcap-devel rpm. 2.9 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--

Q: Why does building snort fail with errors about yylex and lex_init? A: You need the lex and yacc tools or their gnu equivalents flex and bison installed. 2.10 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--

Q: I Want to build a snort box. Will this <Insert list of hardware> handle <this much> traffic? A: That depends. ;-) Lower the number of rules is a standard performance increase. Disable rules that you don't need or care about. There have been many discussions on 'tweaking performance' with lots of 'I handle XX mb with a ___ machine setup.' being said. Look at some of the discussions on snort-users 2.11 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--

Q: What are CIDR netmasks? A: (Excerpt from url: http://public.pacbell.net/dedicated/cidr.html) CIDR is a new addressing scheme for the Internet which allows for more i efficient allocation of IP addresses than the old Class A, B, and C address scheme. CIDR Block Prefix # Equivalent Class C # of Host Addresses /27 1/8th of a Class C 32 hosts /26 1/4th of a Class C 64 hosts /25 1/2 of a Class C 128 hosts /24 1 Class C 256 hosts /23 2 Class C 512 hosts /22 4 Class C 1,024 hosts /21 8 Class C 2,048 hosts /20 16 Class C 4,096 hosts /19 32 Class C 8,192 hosts /18 64 Class C 16,384 hosts /17 128 Class C 32,768 hosts /16 256 Class C 65,536 hosts (= 1 Class B) /15 512 Class C 131,072 hosts /14 1,024 Class C 262,144 hosts /13 2,048 Class C 524,288 hosts For more detailed technical information on CIDR, go to http://www.rfc-editor.org/rfcsearch.html and type in the number of the CIDR RFC you are interested in: RFC 1517: Applicability Statement for the Implementation of CIDR RFC 1518: An Architecture for IP Address Allocation with CIDR RFC 1519: CIDR: An Address Assignment and Aggregation Strategy RFC 1520: Exchanging Routing Information Across Provider Boundaries in the CIDR Environment 2.12 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--

Q: What is the use of the "-r" switch to read tcpdump files? A: Used in conjunction with a snort rules file, the tcpdump data can be analyzed for hostile content, port scans, or anything else Snort can be used to detect. Snort can also display the packets in a decoded format, which many people find is easier to read than native tcpdump output. --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq-- *************************************** Section 3: CONFIGURING SNORT *************************************** 3.1 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--

Q: How do I setup snort on a 'stealth' interface? A: Bring up the interface without an IP address on it. See FAQ 3.2... http://www.geocrawler.com/archives/3/4890/2000/9/0/4399696/ A: Use an ethernet tap, or build your own 'receive-only' ethernet cable. http://personal.ie.cuhk.edu.hk/~msng0/sniffing_cable/index.htm A: Anyway, here is the cable I use: LAN Sniffer 1 -----\ /-- 1 2 ---\ | \-- 2 3 ---+-*------ 3 4 - | - 4 5 - | - 5 6 ---*-------- 6 7 - - 7 8 - - 8 Basically, 1 and 2 on the sniffer side are connected, 3 and 6 straight through to the LAN. 1 and 2 on the LAN side connect to 3 and 6 respectively. This fakes a link on both ends but only allows traffic from the LAN to the sniffer. It also causes the 'incoming' traffic to be sent back to the LAN, so this cable only works well on a hub. You can use it on a switch but you will get ...err... interesting results. Since the switch receives the packets back in on the port it sent them out, the MAC table gets confused and after a short while devices start to drop off the switch. Works like a charm on a hub though. 3.2 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--

Q: How do I run snort on an interface with no IP address? A: ifconfig eth1 up 3.3 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--

Q: My network spans multiple subnets. How do I define HOME_NET? A: Snort 1.7 supports IP lists. You can assign a number of addresses to a single variable. For example: var HOME_NET [10.1.1.0/24,192.168.1.0/24] NOTE: Not all preprocessors support IP lists at this time. Unless otherwise stated, assume that any preprocessor using an IP list variable will use the first value as the HOME_NET. The portscan preprocessor is an example. To catch all detectable portscans, pass 0.0.0.0/0 in as the first parameter. preprocessor portscan: 0.0.0.0/0 5 3 portscan.log Use the portscan-ignorhosts preprocessor to fine tune and ignore traffic from noisy, trusted machines. 3.4 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--

Q: How can I run snort on multiple interfaces simultaneously. A: If you aren't running snort on linux 2.1.x/2.2.x kernel (with LPF available) the only way is to run multiple instances of snort, one instance per interface (with the -i option specifying the interface). However for linux 2.1.x/2.2.x and higher you can use libpcap library with S. Krahmer's patch which allows you to specify 'any' as interface name. In this case snort will be able to process traffic coming to all interfaces. 3.5 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--

Q: IP address is assigned dynamically to my interface, can I use snort with it? A: Yes. With snort 1.7 and later, <interface>_ADDRESS variable is available. The value of this variable will be always set to IP address/Netmask of the interface which you run snort at. if interface goes down and up again (and an IP address is reassigned) you will have to restart snort. For earlier versions of snort numerous scripts to achieve the same result are available. 3.6 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--

Q: I have one network card and two aliases, how can I force snort to "listen" on both addresses ? A: If you're using at least version 1.7, you can specify an IP list like this: var HOME_NET [192.168.<your-IP>/24,<Internet address>/32] If you're using something older (version 1.6.3-patch2 or whatever) you can re-specify the HOME_NET variable multiple times like this (for example): var HOME_NET 10.1.1.0/24 include scan-lib etc. var HOME_NET 192.168.1.0/24 include scan-lib etc. 3.7 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--

Q: How do I ignore traffic coming from a particular host or hosts? A: Write pass rules and add the host(s) to the portscan-ignorehosts list. Call Snort with the -o option to activate the pass rules. See http://www.snort.org/docs/writing_rules/ for more information. A: Use bpf on the commandline to ignore a host (for example): $ snort <commandline options> not host 192.168.0.1 3.8 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--

Q: How do I get Snort to log the packet payload as well as the header? A: Use the "-d" command line option. 3.9 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--

Q: Why are there no subdirectories under /var/log/snort for IP addresses? A: It depends on how your snort configuration logs. If it logs in binary format, you'll have to process the binary log in order to get cleartext 3.10 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--

Q: How do you get snort to ignore some traffic? A1: Specify bpf filters on the command line the tcpdump man page has a description of bpf filters. A2: Use a pass rule A3: The portscan preprocessor has it's own special exclusion list with the portscan-ignorehosts.rules file directive 3.11 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--

Q: Why does the portscan plugin log "stealth" packets even though the host is in the portscan-ignorehosts list? A: These types of tcp packets are inherently suspicious, no matter where they are coming from. The portscan detector was built with the assumption that "stealth" packets should be reported, even from hosts which are not monitored for portscanning. An option to ignore "stealth" packets may be added in the future. 3.12 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--

Q: Which takes precedence, commandline or rule file ? A: The command line always gets precedence over the rules file. If people want to try stuff out quickly without having to manually edit the rules file, they should be able to override many things from the command line. 3.13 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--

Q: How does rule ordering work? A: Marty has answered this many times on the snort-users mailing list. Here is an excerpt from a post on Thu, 22 Feb 2001 00:31:53 -0500, titled "Re: [Snort-users] order of evaluation of rules" Currently, the data structures that store Snort rule data are the RuleTreeNodes (RTN) and the OptTreeNodes (OTN). These data structs are stored in a two dimensinal linked list structure with the RTNs forming the top row of the "Array" and the OTNs forming the columns under the RTNs. Here's an ASCII illustration from the infamous "lisapaper": RTN RTN RTN -------------- -------------- ----- | Chain Header | | Chain Header | | Chai | | | | | | Src IP | | Src IP | | Src | Dst IP |----->| Dst IP |----->| Dst ..... | Src Port | | Src Port | | Src | Dst Port | | Dst Port | | Dst | | | | | -------------- -------------- ----- | | | | | | OTN \|/ OTN \|/ -------V------ --------V------- | Chain Option | | Chain Option | | | | : | | Content | : | TCP Flags | : | ICMP Data | | Payload Size | | etc. | | | --------------- | | | OTN \|/ -------V------ | Chain Option | | | | Content | | TCP Flags | | ICMP data | | Payload Size | | etc. | | | -------------- | | Rules with similar rule headers (i.e. all the CGI rules, the old stealth port scan detection rules, most of the rules that focus on any single service, etc) are grouped under a single RTN for the sake of efficiency and the applicable OTNs are hung below them. For instance, if you have three rules like this: alert tcp any any -> $HOME 80 (content: "foo"; msg: "foo";) alert tcp any any -> $HOME 80 (content: "bar"; msg: "bar";) alert tcp any any -> $HOME 80 (content: "baz"; msg: "baz";) They all get grouped under the same RTN and the OTNs are "hung" beneath them like this: RTN -------------------- | SIP: any | | SP: any | | DIP: $HOME | | DP: 80 | -------------------- | | OTN \|/ ---------v---------- | content: foo | | msg: foo | --------------------- | | OTN \|/ ---------v---------- | content: bar | | msg: bar | --------------------- | | OTN \|/ ---------v---------- | content: baz | | msg: baz | --------------------- This is an efficient way to do things because we only need to check the data in the RTN once with this method. There is actually another dimension to this array: the function pointer list. Each node in the "array" has a linked list of function pointers attached to it. The functions in this list are the tests that need to be done to determine whether the data in the current packet matches the current rule node's information. Having this function pointer list gives us great efficiency and flexibility: we don't need to perform tests for things the current rule doesn't contain (e.g. "any" ports/IPs, packet content on non-content rules, etc). It also allows us to analyze the packet with any function without having to make major modifications to the whole program (which was the case in versions prior to version 1.5). There are a couple of implications of this architecture. For the sake of this discussion on rules ordering, the one we're interested in is that rule order is tricky to figure out. For instance alert tcp any any -> $HOME 80 (content: "foo"; msg: "foo";) alert tcp any any -> $HOME 1:1024 (flags: S; msg: "example";) alert tcp any any -> $HOME 80 (flags: S; msg: "Port 80 SYN!";) alert tcp any any -> $HOME 80 (content: "baz"; msg: "baz";) gets built like this: RTN RTN -------------------- -------------------- | SIP: any | | SIP: any | | SP: any |-------->| SP: any | | DIP: $HOME | | DIP: $HOME | | DP: 80 | | DP: 1-1024 | -------------------- -------------------- | | | | OTN \|/ \|/ ---------v---------- ---------v---------- | content: foo | | flags: S | | msg: foo | | msg: example | -------------------- -------------------- | | OTN \|/ ---------v---------- | flags: S | | msg: Port 80 SYN! | -------------------- | | OTN \|/ ---------v---------- | content: baz | | msg: baz | -------------------- Note that all three of the port 80 rules will be checked before the "1:1024" rule due to the order in which the applicable RTN has been created. This is because the rules parser builds the first chain header for port 80 traffic and sticks it on the rules list, then on the next rule it sees that a new chain header is required, so it gets built and put in place. In this case you would intuitively expect to get the "example" message and never see the "Port 80 SYN!", but the opposite is true. 3.14 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--

Q: How do I configure stream4? A: Stream4 is an entirely new preprocessor that preforms two functions: 1) Stateful inspection of TCP sessions 2) TCP stream reassembly I implemented stream4 out of the desire to have more robust stream reassembly capabilities and the desire to defeat the latest "stateless attacks" that have been coming out against Snort (c.f. stick and snot). Stream4 is written with the intent to let Snort be able to handle performing stream reassembly for "enterprise class" users, people who need to track and reassemble more than 256 streams simultaneously. I've optimized the code fairly extensively to be robust, stable, and fast. The testing and calculations I've performed lead me to be fairly confident that stream4 can provide full stream reassembly for several thousand simultaneous connections and stateful inspection for upwards of 64,000 simultaneous sessions. Stream4 is a large and complex piece of code (almost 2000 lines) and there are a lot of options associated with its runtime configuration, so I'll go over them here. preprocessor stream4: [noinspect], [keepstats], [timeout <seconds>], [memcap <btream4_reassemble defaults: Reassemble client: ACTIVE Reassemble server: INACTIVE Reassemble ports: 21 23 25 53 80 143 110 111 513 Reassembly alerts: ACTIVE There is a new command line switch that is used in concert with the stream4 code, "-z". The -z switch can take one of two arguments: "est" and "all". The "all" argument is the default if you don't specify anything and tells Snort to alert normally. If the -z switch is specified with the "est" argument, Snort will only alert (for TCP traffic) on streams that have been established via a three way handshake or streams where cooperative bidirectional activity has been observed (i.e. where some traffic went one way and something other than a RST or FIN was seen going back to the originator). With "-z est" turned on, Snort completely ignores TCP-based stick/snot "attacks". 3.15 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--

Q: Where does one obtain new/modifed rules? How do you merge them in? A: New rules can be downloaded via CVS (See 3.16) or alternatively may be found at www.snort.org. There is a mailing list dedicated to snort rules, called snort-sigs hosted at sourceforge. To merge in new rules check out the snortpp program in the snort/contrib directory in the snort source archive. 3.16 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--

Q: How do you get the latest snort via cvs? A: The Snort project's SourceForge CVS repository can be checked out through anonymous (pserver) CVS with the following instruction set. The module you wish to check out must be specified as the modulename.r When prompted for a password for anonymous, simply press the Enter key. cvs -d:pserver:anonymous@cvs.snort.sourceforge.net:/cvsroot/snort login cvs -z3 -d:pserver:anonymous@cvs.snort.sourceforge.net:/cvsroot/snort co snort Updates from within the module's directory do not need the -d parameter. *************************************** Section 4: RULES AND ALERTS *************************************** 4.1 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--

Q: When I start snort I get errors from my rules files: Some common ones: ERROR somefile.rules:yy => Port value missing in rule! ERROR somefile.rules:yy => Bad port number: "(msg:"blah" ERROR somefile.rules:yy => Couldn't resolve hostname blah What's going on? A: somefile.rules is the file where the syntax error occurred, and yy is the line number it occurred on. There are a couple of possibilities: a) The rule is missing a port value, has an invalid port number, or a bad hostname - in which case the ruleset author/maintainer should be notified. b) More often, the rule is just fine, but a variable in it was not declared. Open the rules file, look at the rule on the line number provided, and confirm that the variables it uses have been declared. You can read more about variables from http://www.snort.org/docs/writing_rules/chap2.html#tth_sEc2.1.2 4.2 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--

Q: Snort says "Rule IP addr ("1.1.1.1") didn't x-late, WTF?" A: Chuckle... Get rid of the quotes around the IP address and try again. :-) 4.3 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--

Q: Snort is behind a firewall (ipf/pf/ipchains/ipfilter) and awfully quiet... A: Your firewall rules will also block traffic to the snort processes. 4.4 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--

Q: I'm getting large amounts of <some alerts type>. What should I do? Where can I go to find out more about it? A: Some rules are more prone to producing false positives than others. This often varies between networks. You first need to determine if it is indeed a false positive. Some rules are referenced with ID numbers. The following are some common identification systems, and where to go to find more information about a particular alert. System Example URL --------------------------------------------------------------- IDS IDS182 http://www.whitehats.com/IDS/182 CVE CVE-2000-0138 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-0138 Bugtraq BugtraqID 1 http://www.securityfocus.com/vdb/bottom.html?vid=1 McAfee Mcafee 10225 http://vil.nai.com/vil/dispVirus.asp?virus_k=10225 It may be necessary to examine the packet payload to determine if the alert is a false positive. The packet payload is logged using the -d option. If you determine the alerts are false positives, you may want to write pass rules for machines that are producing a large number of them. If the rule is producing an unmanageable amount of false positives from a number of different machines, you could pass on the rule for all traffic. This should be used as a last resort. 4.5 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--

Q: What about all these false alarms? A: Most think that a pile of false positives is infinitely preferable. Then people can turn off what they don't want. The reverse, having a small rule set, can lure people into complacency thinking that Snort is doing "its thing" and there is nothing to worry about. 4.6 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--

Q: What are all these ICMP files in subdirectories under /var/log/snort? A: Most of them are likely destination unreachable and port unreachables that were detected by snort when a communications session attempt fails. 4.7 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--

Q: Why does the program generate alerts on packets that have pass rules? A: The default order that the rules are applied in is alerts first, then pass rules, then log rules. This ordering ensures that you don't write 50 great alert rules and then disable them all accidently with an errant pass rule. If you really want to change this order so that the pass rules are applied first, use the "-o" command line switch. 4.8 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--

Q: What are all these "ICMP destination unreachable" alerts? A: ICMP is the acronym for Internet Control Message Protocol They are failed connections ICMP unreach packet carries first 64 bits(8bytes) or more of the original datagrami and the original IP header. The ICMP Destination Unreachable (message type 3) is sent back to the originator when an IP packet could not be delivered to the destination address. The ICMP Code indicates why the packet could not be delivered. The original codes are: 0 net unreachable 1 host unreachable 2 protocol unreachable 3 port unreachable 4 fragmentation needed and DF bit set 5 source route failed As far as why... "it all depends..." ICMP Unreachable Error Messages are divided into two groups: - ICMP Unreachable Error Messages issued by routers (all 16 of them) - ICMP Unreachable Error Messages issued by a Host (only 2) What are the only 2 issued by a host? ICMP Port Unreachable - the destination port on the targeted host is closed (a.k.a. not in a listening state). ICMP Protocol Unreachable - the protocol we were trying to use is not being used on the targeted host. Both ICMP Type field and Code field indicates why the packets could not be delivered. Some snort ICMP alerts" are informational like the ICMP alerts found in icmp-info.rules. At this time there are no references or even classtypes associated with these rules. Other rules are more likely to be associated with untoward activity. For example, in icmp.rules you will find: alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP ISS Pinger"; content:"|495353504e475251|";itype:8;depth:32; reference:arachnids,158; classtype:attempted-recon; sid:465; rev:1;) which has a reference where the importance might be determined by checking out the aracnids reference. The classtype may indicate more or less the relative importance of the event. When a destination UDP port is closed on the targeted host, a.k.a. not in a listening state, the targeted host will issue an ICMP Port Unreachable error message back to the offending packets source IP address, given in the query. Some programs use these messages, like traceroute with *nix based machines. Windows based machines (tracert) will default to ICMP Echo requests... For further information about this see IP ftp://ftp.isi.edu/in-notes/rfc791.txt ICMP ftp://ftp.isi.edu/in-notes/rfc792.txt TCP ftp://ftp.isi.edu/in-notes/rfc793.txt UDP ftp://ftp.isi.edu/in-notes/rfc768.txt and http://www.iana.org/assignments/icmp-parameters Actually, putting this URL somewhere handy is a good idea: http://www.iana.org/ There is also a good ICMP paper on http://www.sys-security.com/ 4.9 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--

Q: Why do many snort rules have the flags P (TCP PuSH) and A (TCP ACK) set? A: One of the reasons it alerts on a PA flags is to minimize the false positive. You will only get an alert upon successful connections. If you want to see all the attempts, you either have to modify the signatures, add you own signatures or use your firewall logs to see if an attempt to specific a port occurred. 4.10 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--

Q: What are these IDS codes in the alert names? A: IDS means "Intrusion Detection Signature" and identifies a known attack attempt. You can learn more about a specific IDS id at the arachNIDS search engine on http://www.whitehats.com/. The "references" keyword in rules can also be a good pointer for further research. 4.11 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--

Q: Snort says BACKDOOR SIGNATURE... does my machine have a Trojan? A: If you are dumping the data part of the packet, review it. These rules are known to have high false rates as most of them are just based on numeric port numbers. 4.12 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--

Q: What about "CGI Null Byte attacks"? A: It's a part of the http preprocessor. Basically, if the http decoding routine finds a %00 in an http request, it will alert with this message. Sometimes you may see false positives with sites that use cookies with urlencoded binary data, or if you're scanning port 443 and picking up SSLencrypted traffic . If you're logging alerted packets you can check the actual string that caused the alert. Also, the unicode alert is subject to the same false positives with cookies and SSL. Having the packet dumps is the only way to tell for sure if you have a real attack on your hands, but this is true for any content-based alert. 4.13 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--

Q: Why do certain alerts seem to have 'unknown' IPs in ACID? A: The Snort database plug-in only logs packet information into the database when an alert is triggered by a rule (signature). Therefore, since alerts generated by pre-preprocessors such as portscan and mini-fragment have no corresponding rules, no packet information is logged beyond an entry indicating their occurance. As a consequence, ACID cannot display any packet-level (e.g. IP address) information for these alerts. For these particular alerts, certain statistics may show zero unique IP addresses, list the IP address as 'unknown', and will not list any packet information when decoding the alert. 4.14 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--

Q: Can priorities be assigned to Alerts using ACID? A: The quick answer to this question is no. ACID is at the mercy of the underlying database, since Snort doesn't assign priorities, ACID does not have priorities. Nevertheless, there are several work-arounds: It is possible to enforce priorities of sort at the database level by writing alerts of different severity to separate databases. For example, critical alerts such as buffer overflows can be written to one database, while scan alerts can be written to another. Then load two different versions of ACID, each pointing to a different instance of the database. With manual intervention Alert Groups (AG) can be used to assign priority. Essentially, this strategy entails creating an AG for each severity level and manually moving the alerts as they arrive into the appropriate group. 4.15 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--

Q: What about 'SMB Name Wildcard' alerts? A: Whitehats IDS177 http://dev.whitehats.com/cgi/test/new.pl/Show?_id=netbios-name-query specifies traffic coming from *outside* of your local network. Allowing netbios traffic over public networks is usually very insecure. If the rule you are using also refers to ingres traffic only, then it would explain why you don't see a lot of false positives. For anyone reading that does see a lot of false postiives - if you change your rule to reflect the source address as being !$HOME (or whatever variable you use to represent your internal network), then you should see most of the false positives go away. The value of this chack is that a default administrative share C$ ADMIN$ or some such has been accessed. This shouldn't happen in normal use - when people want to share files they should be implicitely defining the shares and ACL. 4.16 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--

Q: What the heck is a SYNFIN scan? A: SYNFIN scans got their name because there are both the SYN and FIN flags set. 4.17 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--

Q: I am getting too many "IIS Unicode attack detected" and/or "CGI Null Byte attack detected" false positives. How can I turn this detection off? A: These messages are produced by the http_decode preprocessor. If you wish to turn these checks off, add -unicode or -cginull to your http_decode preprocessor line respectively. preprocessor http_decode: 80 8080 -unicode -cginull Your own internal users normal surfing can trigger these alerts in the preprocessor. Netscape in particular has been known to trigger them. Instead of disabling them,try a BPF filter to ignore your outbound http traffic such as: snort -d -A fast -c snort.conf not (src net xxx.xxx and dst port 80) This has worked very well for us over a period of 5-6 months and Snort is still very able to decode actual and dangerous cgi null and unicode attacks on our public web servers. 4.18 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--

Q: How do I test snort alerts and logging? A: Try a rule that will fire off all the time like: alert tcp any any -> any any (msg:"TCP traffic";) Also take a look at sneeze at http://snort.sourceforge.net/sneeze-1.0.tar Sneeze is a false positive generator that reads snort signatures and generates packets that will trigger the rules. --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq-- *************************************** Section 5: GETTING FANCY *************************************** 5.1 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--

Q: How do I process those snort logs into HTML reports? A1: One popular solution is SnortSnarf, a tool for producing HTML out of snort alerts for navigating through these alerts (and doing a whole lot more). http://www.silicondefense.com/snortsnarf/ A2: If you want to set up logging to a database you could try ACID Some documentation describing the current ACID functionality: http://www.cert.org/kb/acid/ 5.2 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--

Q: How do I log to multiple databases? A: You can build redundancy by using multiple output plugins. Here are some examples. Multiple instantiations of the database plugin: output log_database: mysql, dbname=snort host=localhost user=xyz output log_database: mysql, dbname=snort host=remote.loghost.com user=xyz Remote database and local tcpdump: output log_database: mysql, dbname=snort host=remote.loghost.com user=xyz output log_tcpdump: /var/log/snort.tcpdump Then you can replay the tcpdump file through snort to recreate the database. 5.3 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--

Q: How can I test snort without having an ethernet card or a connection to other computers? A: You have to use routing between two dummy devices: modprobe -a dummy (The dummy device has to be build by the kernel) ifconfig dummy0 192.168.0.1 ifconfig dummy0:0 192.168.0.2 telnet 192.168.0.3 12345 It's important that the second IP is on the same interface and not e.g. dummy1 or dummy2 and that the IP you try to access is *not* one of those you put on the interfaces. Use snort's ability to hear in promiscious mode on an IP address range. (HOMEDIR=192.168.0.0/16) 5.4 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--

Q: How to start snort as a win32 service? A: Service support has been added to snort-1.6.3-patch2 You can download the binary from: http://www.datanerds.net/~mike/dev/snort-1.6.3-patch2-service.zip Right now there is only a binary available. Snort Service FAQ: 1) Use must use complete paths for everything. This means EVERYTHING. Command line, configuration files, everything. Examples: All include statements must be full paths. I.E. 'include scan-lib' is WRONG. 'include C:\snort\scan-lib' is CORRECT. All Command line options must be full paths. I.E. 'snort.exe -l ./log' is WRONG. 'snort.exe -l C:\snort\log' is CORRECT. 2) YOU MUST ALWAYS HAVE A LOGGING DIRECTORY SET VIA THE COMMAND LINE(-l switch). If you do not set a logging directory the service will not start and, on NT/Win2k, your bootup will hang for about 4 minutes. 3) How to install the snort service. Run snort like you would via command line but add a '-I'. I.E. 'snort.exe -c snort.conf -l ./log -h 192.168.1.0/24 -s' turns into 'snort.exe -c C:\snort\snort.conf -l C:\snort\log -h 192.168.1.0/24 -s -I' YOU MUST USE COMPLETE PATHS FOR ALL FILES/DIRECTORIES. NOTE: You do NOT need to add the -D option to the command line when you install the service. If -D is not there it will automatically be added. 4) How to remove the snort service. Run 'snort -R'. 5) Does the Service run on 9x/ME. Yes. It uses a horrible hack to get it to work. Because of this when you boot up you will see a black command prompt window for about 5 seconds before snort goes to the background. This service mode is considered a horrible hack and probably will not work in every situation. 6) What functions are support by the NT service. Start and Stop currently. Pause and Resume will be implemented later (Code already exists but not working properly). Any questions, comments, flames please email mike@datanerds.net 5.5 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--

Q: Is it possible with snort to add a ipfilter/ipfw rule to a firewall? A: Yes, with additional software in the contrib directory. But this can be dangerous and is not recommended unless you know what you're doing. Guardian is available and is part of the contrib directory in the tarball distribution. Guardian is a perl script which uses snort to detect attacks, and then uses IPchains to deny any further attacks. The Guardian webpage can be found at: http://www.chaotic.org/~astevens/Guardian/index.html or you can use the mirror, http://www.cyberwizards.com/~midnite/Guardian/index.html But one caveat... running external binaries can also be a performance limiter and your should read the caution below... Christopher Cramer wrote: > > I'm sure this has been mentioned before in similar discussions, but this > feels like a _really_ bad idea. What if the bad guys realize what is > going on and make use of your blocking method as a DoS attack. All one > would have to do start sending a series of triggering packets with spoofed > IP addresses. > > Since I am no longer interested in breaking into your site, but rather > making your life hell, I don't worry about the resulting data getting back > to me. All I have to do is start proceeding up a list of IP addresses > that I think you should no longer be able to talk to. When you come in > the next morning, you find that you can no longer access the world. > > Just my $0.02. > Danger Will Robinson: Conventional wisdom says that auto-blocking is inherently dangerous. However, for those that like to live at the bleeding edge of tech (and the separate process scanning logs and processing firewall commands sounds like a good way to do this...): Please remember to include an exclusion list and put on them important sites such as root servers, other important dns servers (yours, and important sites for your users), and in general any host you don't want to receive phone calls about being DoSed when they are spoofed - usually inconveniently like that first time you actually manage to get on vacation.... (i.e. imagine "Crisis: the ceo can't reach his favorite redlite.org game.... you have to fly back from the carribean asap....") 5.6 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--

Q: Snort complains about the "react" keyword... A: Rerun configure with the --enable-flexresp option and rebuild/reinstall. 5.7 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--

Q: How do I get snort to e-mail me alerts? A: Log to syslog and use swatch or logcheck. 5.8 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--

Q: How do I log a specific type of traffic and send alerts to syslog? A: An example addition to snort.conf: ruletype redalert { type alert output alert_syslog: LOG_LOCAL2 output database: alert, postgresql, user=user dbname=snort password=pwd } [...snip...] Go into your local.rules and make sure you have something like: redalert tcp any any -> any any (msg:"REDRUM REDRUM"; content:"redalerttest") Then just do a telnet and type 'redalerttest'. Presto, alerts to both. 5.9 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--

Q: Is it possible to have snort call an external program when an alert is raised? Calling another program from within your main IDS loop is generally a bad idea. Having your IDS block while waiting for <something> of dubious reliability and origin nevermind timing while the packets are piling up is inviting packet loss. Especially with the already oh-so-consistent "Gee I think I'll go away for a minute" rock steady even cpu slicing Windows gives you (that's sarcasm, sorry). Go with the second approach.... process invokation is expensive on Windows. You want to keep that IDS task humming and munching packets as efficiently as possible with as few interruptions as possible, imho, and not be invoking the penalty of process invocation.... particularly on Windows where process invocation is much much heavier task than *nix. Even in a secondary process... You'll probably find something that stays "awake" all the time will work out much more nicely than something that gets "woken up" on a per alert basis for the aforementioned reasons. As a better alternative go check out swatch or logwatch. --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq-- *************************************** Section 6: PROBLEMS *************************************** 6.1 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--

Q: I think I found a bug in snort. Now what? A: get some more diagnostic information and post it to "snort-users" at http://www.sourceforge.net To get diagnostic information compile snort as either: make clean; make CFLAGS=-ggdb or make clean; make "CFLAGS=-ggdb -DDEBUG" trace coredump as: gdb /path/to/snort /path/to/snort/core gdb> where gdb> bt gdb> print $varname, varname, $$varname etc.. or if corefile isn't generated snort should be started as gdb snort gdb> run <snort args without -D switch :-)> 6.2 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--

Q: SMB alerts aren't working, what's wrong? A: Make sure you include "--enable-smbalerts" when you run "./configure". 6.3 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--

Q: Snort says "Garbage Packet with Null Pointer discarded!". Huh? A: This was an internal diagnostic message triggered by an old bug in early versions of the defragmentation preprocessor. Upgrade to to the latest version of snort. 6.4 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--

Q: Snort says "Ran Out Of Space". Huh? A: This is an internal diagnostic message when the defragmentation preprocessor runs into its ~32MB hard allocation space limit. Tell Dragos about it <dr@kyx.net>. 6.5 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--

Q: I'm having problems getting snort to log to a database... A: There were some issues with snort 1.6.3 writes Lee wrote.. > > Initializing rule chains... > > log_database: Database type is mysql > > log_database: Database name is snort > > log_database: Host set to localhost > > log_database: User set to root > > Problem obtaining SENSOR ID (sid) from mysql->snort->event In version 1.6.3, it turns out that many people have seen this error because they did not compile in support for their database. It should be fixed in snort 1.7 A quick and easy "fix" for older snort versions is to add -lm to either LIBS or LDFLAGS in the Makefile. e.g. LIBS = -lm -lmysqlclient -lpcap -lsocket -lnsl Anyway, if you are still having this problem you can take a look at the updated the installation and configuration information at the following web site. http://www.incident.org/snortdb 6.6 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--

Q: My ACID db connection times-out when performing long operations (e.g. deleting a large number of alerts) A: PHP has an internal variable set to limit the length an script can execute. It is used to prevent poorly written code from executing indefinitely. In order to modify the time-out value, examine the 'max_execution_time' variable found in the 'php.ini' configuration file. 6.7 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--

Q: Why does snort report "Packet loss statistics are unavailable under Linux"? A: The Linux IP stack doesn't report lost packet stats. This also has been recently fixed with the 2.4 kernel in the new version of libpcap... upgrade kernels and libpcap and it should now work. 6.8 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--

Q: My /var/log/snort directory get very large..... A: Try this script to archive the files. #!/bin/sh # # Logfile roation script for snort writen by jameso@elwood.net. # # This script is pretty basic. We start out by setting some vars. # Its job is tho rotate the days logfiles, e-mail you with what # it logged, keep one weeks worth of uncompressed logs, and also # keep compressed tgz files of all the logs. It is made to be run # at midnight everynight. This script expects you to have a base # dir that you keep all of your logs, rule sets etc in. You can # see what sub dirs it expects from looking at the var settings # below. # # Things to note in this script is that we run this script at 12 # every night, so we want to set the dirdate var the day the script # runs minus a day so we label the files with the correct day. We # Then create a dir for the days logs, move the log files into # todays dir. As soon as that is done restart snort so we don't miss # anything. Then delete any logs that are uncompressed and over a # week old. Then compress out todays logs and archive them away, and # end up by mailling out the logs to you. # # Define where you have the base of your snort install snortbase=/usr/snort # Define other vars # logdir - Where the logs are kept # oldlogs - Where you want the archived .tgz logs kept # weeklogs - This is where you want to keep a weeks worth of log files uncompressed # dirdate - Todays Date in Month - Day - Year format # olddirdate - Todays date in the same format as dirdate, minus a week logdir=$snortbase/log oldlogs=$snortbase/oldlogs weeklogs=$snortbase/weeklogs # When I first wrote this script, I only ran it on BSD systems. That was a # mistake, as BSD systems have a date command that apperently lets you walk the # date back pretty easily. Well, some systems don't have this feature, so I had # to change the way that dates are done in here. I left in the old way, because # it is cleaner, and I added in a new way that should be portable. If anyone # has any problems, just let me know and I will try to fix it. # # You have to change the system var to either bsd or other. Set it to bsd if # your system supports the "-v" flag. If you are not sure, set it to other. system=bsd if [ $system = bsd ] then dirdate=`date -v -1d "+%m-%d-%y"` olddirdate=`date -v -8d "+%m-%d-%y"` elif [ $system = other ] month=`date "+%m"` yesterday=`expr \`date "+%d"\` - 1` eightday=`expr \`date "+%d"\` - 8` year=`date "+%y"` dirdate=$month-$yesterday-$year olddirdate=$month-$eightday-$year fi # Create the Dir for todays logs. if [ ! -d $weeklogs/$dirdate ] then mkdir $weeklogs/$dirdate fi # Move the log files into todays log dir. This is done with # a for loop right now, because I am afriad that if alot is # logged there may be to many items to move with a "mv *" # type command. There may a better way to do this, but I don't # know it yet. for logitem in `ls $logdir` ; do mv $logdir/$logitem $weeklogs/$dirdate done # Kill and restart snort now that the log files are moved. kill `cat /var/run/snort_fxp0.pid` # Restart snort in the correct way for you /usr/local/bin/snort -i fxp0 -d -D -h homeiprange/28 -l /usr/snort/log \ -c /usr/snort/etc/08292k.rules > /dev/null 2>&1 # Delete any uncompressed log files that over a week old. if [ -d $weeklogs/$olddirdate ] then rm -r $weeklogs/$olddirdate fi # Compress and save the log files to save for as long as you want. # This is done in a sub-shell because we change dirs, and I don't want # to do that within the shell that the script runs in. (cd $weeklogs; tar zcvf $oldlogs/$dirdate.tgz $dirdate > /dev/null 2>&1) # Mail out the log files for today. cat $weeklogs/$dirdate/snort.alert | mail -s "Snort logs" you@domain.com cat $weeklogs/$dirdate/snort_portscan.log | mail -s "Snort portscan logs" you@domain.com 6.9 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--

Q: Why does the 'error deleting alert' message occur when attempting to delete an alert with ACIO? A: Most likely the DB user configure in ACID does not have sufficient privileges. In addition to those privileges granted to log the alerts into the database (INSERT, SELECT), DELETE is also required. This permission related issue can be confirmed by manually inserting a row into the database, then trying to delete it. 1. login to MySQL with the same credentials (i.e. username, password) as you use in ACID. e.g. % mysql -u -p 2. insert a test row into the event table mysql> INSERT INTO event (sid, cid, signature, timestamp) VALUES (1,1000000, "test", "0"); (this assumes that you don't already have a row with an event ID=1000000. If you do just choose another event id #) 3. now delete this newly inserted row mysql> DELETE FROM event WHERE sid=1 AND cid=10000000; If you where not able to delete, this confirms that this is a permission problem. Re-login to mysql as root, and issue a GRANT command (giving the DELETE permission) to the ACID DB user. e.g. GRANT DELETE on snort.* to acid@localhost (this assumes that my alert database is 'snort', username is 'acid', and logging from the 'localhost') 6.10 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--

Q: ACID appears to be broken in Lynx A: This is a known issue. Lynx mangles some of the form arguments appended to the URL. It's resolution is being investigated, but use Netscape, Opera, or IE in the mean time. 6.11 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--

Q: I am getting 'snort [pid] uses obsolete (PF_INET, SOCK_PACKET)' warnings, what's wrong. A: You use older libpcap version with recent linux kernel. There should be no problem with it as long as your kernel supports SOCK_PACKET socket type. To get rid off the warning message however, you'll have to upgrade to some recent version of libpcap. (a copy from www.tcpdump.org is recommended). 6.12 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--

Q: on HPUX I get device lan0 open: recv_ack: promisc_phys: Invalid argument A: It's because there's another program running using the DLPI service. The HP-UX implementation doesn't allow more than one libpcap program at a time to run, unlike Linux. (from snort.c) 6.13 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--

Q: I am getting snort dying with 'can not create file' error and I have plenty of diskspace, what's wrong? A: You may run out of free inodes, which basically also means you can not create more files on the partition. The obvious solution is to rm some ;-) 6.14 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--

Q: I am using Snort on Windows and receive an OpenPcap() error upon startup: ERROR: OpenPcap() device open: Error opening adapter What's wrong? A: Either winpcap is not installed, or you are using an incompatible version. Try upgrading to the latest version (2.1 as of 4/11/01). It is available from http://netgroup-serv.polito.it/winpcap/ 6.15 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--

Q: Snort is not logging to my database A1: You did not set up the database plugin in your configuration file. A2: You are using an older database schema, and should update it by running the create scripts from the /contrib directory of the source tarball. A3: You are using a command line option that overrides what you have in your configuration file. This is most often -A or -s. NOTE: If you wish to log to syslog as well, specify so in your configuration file rather then the command line. A4: There is a problem with your database configuration itself. Make sure the user you specify has the correct permissions, or that the database is even up and running. 6.16 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--

Q: Portscans are not being logged to my database A: You need to change the output facility to 'alert' rather then 'log'. The portscan preprocessor calls output plugins registered as 'alert' plugins rather then 'log'. output database: alert, mysql, user=snort dbname=snort host=localhost 6.17 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--

Q: Snort is not logging to syslog A1: You are using a command line option that overrides what you have in your configuration file. This is most often -A. A2: It may be logging to the wrong place. Make sure syslog is configured correctly. 6.18 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--

Q: I am still getting bombarded with spp_portscan messages even though the IP that I am getting the portscan from is in my $DNS_SERVERs var A: Try adding /32 netmasks to those addresses: var DNS_SERVERS [xxx.xx.0.3/32,xxx.xxx.0.2/32] And make sure the $DNS_SERVERS variable is on the portscan-ignorehosts line: preprocessor portscan-ignorehosts: $DNS_SERVERS 6.19 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--

Q: Why chrooted snort die when I send it a SIGHUP? A: It's a known problem with permissions. Workaround, restart snort instead. But the short answer is this: Due to the way the execv(2) call works, it "Restarts" snort from scratch. This has the odd side effect of making HUPS to a chrooted snort become recursive. For example, chroot to /snort. It now sees /snort as / . Now HUP snort. Snort now expects to have /snort/snort as /. In other words, you have to re-create your directories for your jail inside it. 4 HUPS and you will be in /snort/snort/snort/snort. 6.20 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--

Q: My snort crashes, how do I restart it? A: Try this shell script or daemontools #!/bin/sh #snorthup: Snort Restarter and Crash Logger #(dr@kyx..net with help from kmaxwell@superpages.com) $conf = "snort.conf" for $IFACE in fxp0 fxp1 do if [ -f /var/run/snort_$IFACE.pid ]; then if ! ps -p `cat /var/run/snort_$IFACE.pid` > /dev/null ; then /usr/bin/logger -p user.notice snorthup: removing bogus pidfile /usr/bin/logger -p user.notice snorthup: restarting absentee snort on $IFACE with conf file $i rm -f /var/run/snort_$IFACE.pid /usr/local/bin/snort -D -c $conf -i $IFACE fi; else /usr/bin/logger -p user.notice snorthup: restarting snort on $IFACE with conf file $conf /usr/local/bin/snort -D -c $conf -i $IFACE fi done 6.21 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--

Q: Why can't snort see one of the 10Mbps or 100Mbps traffic on my autoswitch hub Basically it's a function of the design and all autoswitching hubs will behave in this way. It's the result of just not being able to stuff all the 100 Mbps traffic into the 10Mbps CSMA/CD. One solution I use to the problem is these new cheapie four port switches... put all the 10Mbps on it's own hub/switch/whatever and then route that to the 100Mbps hub I use for monitoring but put a cheapie switch in between that works as an adapter basically mediating the 10 up to 100 and vice versa. The bad thing about hubs that _don't_ have this "feature", is that in order to support 10bt devices, they throttle the entire hub speed down to 10bt if there is one or more 10bt only devices hooked up to it. I have seen this behavior (and did the bandwidth tests to proove it) on old 3com office connect 10/100 hubs (newer ones do the 2 hubs with a switch thing.) So, the point of what I am saying is, since these old hubs have no switching capabilities, and they don't know which port the traffic is supposed to go to (no switch=no arp table), they have to throttle bandwidth. None of the hubs and switches have any significant amount of storage on the ethernet chip sets, and therefore _any_ non-layer-three box that has 100 -> 10 capability can only handle small amounts of traffic before the chip set drops incoming packets on the floor. Guess one might call that throttled bandwidth, but at the expense of retransmission timeouts and retransmissions at the end nodes. If the box has a backplane, multiple cards and some network management functions, there is a higher _probability_ the manufacturer has some additional buffering going on to keep dropped packets from happening on at least small bursts of traffic. In the most generic of terms, if a box supports 100 "full-duplex", then its a switch (regardless of what the manufacturer calls it). If it supports 100 -> 10, there is 50-50 chance the box has some MAC address awareness. If a box only supports 10 -> 10 or 100 -> 100, there is a high probability it is not MAC address aware and therefor functions like a hub. Many hubs have different back planes, ie one for 10 one for 100. From a definition standpoint, a hub segment whether it be 10 or 100 is a single broadcast/collision domain. You will not see ANY traffic between segements without a bridge or layer3 route function between them. In a switched environment, typically each port is a separate collision domain but one big broadcast domain. VLANs can be created in some to separate into separate broadcast domains and some have built in layer 3 functionality which basically connects a router into the backplane so that it can route between vlans at wire speed. Think of a switch as a bridge with many ports. (that's what it is). Some switches support port mirroring or span ports. When you want to "sniff" frames in a switched environment (beyond just broadcast/multicast traffic) you need to be able to "see" the unicast traffic (telnet,http for example). You set up a port to mirror traffic from the ports that have the devices your interested in to the port you have your analysis device plugged into. Without doing so, you don't see the unicast conversations because the traffic is getting "switched" accross the backplane so pc on port 1 talks to server on port 2 and no other ports get this traffic. If server on port 2 broadcasts or multicasts, the information is flooded out all ports. (multicast can be controlled on some switches so only those ports that have listening stations get the traffic. Not all switches have these capabilities. An excellent book on the topic is Interconnections by Radia Perlman. (Bridges and Routers). Additional caveat: if you deal with full duplex on a switched port, only a tap would save you - users have succesfully used Shomiti's ones on 100MB FD ports, and used two Snort instances, capturing traffic on both directions. Port mirroring didn't work in that case ... --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq-- --END OF FAQ v1.8.1--

back to
top