snort的输出是空白，到底哪里出错了？

lnx

我有正常运行snort的(系统为debian)：

1. /usr/sbin/snort -D -c /etc/snort/snort.conf

复制代码

但是什么警告也没有，这是什么原因？如图：

混杂模式也开的，messages日志如下:

1. 
   
2. :
   
3. :
   
4. :
   
5. Sep 28 00:58:43 test kernel: eth0: Promiscuous mode enabled.
   
6. Sep 28 00:58:43 test  kernel: device eth0 entered promiscuous mode
   
7. Sep 28 00:58:43 test  kernel: device eth0 left promiscuous mode
   
8. Sep 28 01:05:36 test  kernel: eth0: Promiscuous mode enabled.
   
9. Sep 28 01:05:36 test  kernel: device eth0 entered promiscuous mode
   
10. Sep 28 01:05:46 test  kernel: device eth0 left promiscuous mode
    
11. :
    
12. :
    
13. :
    

复制代码

lnx

snort log

1. 
   
2. test:/var/log/snort# ls -al
   
3. total 24
   
4. drwxr-s---    2 snort    snort        4096 Sep 28 01:21 .
   
5. drwxr-xr-x    8 root     root         4096 Sep 27 21:32 ..
   
6. -rw-r-----    1 snort    snort           0 Sep 27 21:03 alert
   
7. -rw-r-----    1 root     snort          24 Sep 27 21:50 tcpdump.log.1096293003
   
8. -rw-------    1 root     snort          24 Sep 28 01:05 tcpdump.log.1096304736
   
9. -rw-------    1 root     snort          24 Sep 28 01:08 tcpdump.log.1096304899
   
10. -rw-------    1 root     snort           0 Sep 28 01:14 tcpdump.log.1096305268
    
11. -rw-------    1 root     snort          24 Sep 28 01:21 tcpdump.log.1096305704

复制代码

lnx

真搞不明了，我把日志输出到syslog出又能看到日志，但我不输出到syslog的话，alert里面什么也没有。

1. 
   
2. /usr/sbin/snort -s -D -c /etc/snort/snort.conf

复制代码

syslog日志输出如下：

1. 
   
2. Sep 28 01:57:48 test snort: Initializing daemon mode
   
3. Sep 28 01:57:48 test snort: PID path stat checked out ok, PID path set to /var/run/
   
4. Sep 28 01:57:48 test snort: Writing PID "7228" to file "/var/run//snort_eth0.pid"
   
5. Sep 28 01:57:48 test snort: ,-----------[Flow Config]----------------------
   
6. Sep 28 01:57:48 test snort: | Stats Interval:  0
   
7. Sep 28 01:57:48 test snort: | Hash Method:     2
   
8. Sep 28 01:57:48 test snort: | Memcap:          10485760
   
9. Sep 28 01:57:48 test snort: | Rows  :          4099
   
10. Sep 28 01:57:48 test snort: | Overhead Bytes:  16400(%0.16)
    
11. Sep 28 01:57:48 test snort: `----------------------------------------------
    
12. Sep 28 01:57:48 test snort: HttpInspect Config:
    
13. Sep 28 01:57:48 test snort:     GLOBAL CONFIG
    
14. Sep 28 01:57:48 test snort:       Max Pipeline Requests:    0
    
15. Sep 28 01:57:48 test snort:       Inspection Type:          STATELESS
    
16. Sep 28 01:57:48 test snort:       Detect Proxy Usage:       NO
    
17. Sep 28 01:57:48 test snort:       IIS Unicode Map Filename: /etc/snort/unicode.map
    
18. Sep 28 01:57:48 test snort:       IIS Unicode Map Codepage: 1252
    
19. Sep 28 01:57:48 test snort:     DEFAULT SERVER CONFIG:
    
20. Sep 28 01:57:48 test snort:       Ports:
    
21. Sep 28 01:57:48 test snort: 80
    
22. Sep 28 01:57:48 test snort: 8080
    
23. Sep 28 01:57:48 test snort: 8180
    
24. Sep 28 01:57:48 test snort:  
    
25. Sep 28 01:57:48 test snort:       Flow Depth: 300
    
26. Sep 28 01:57:48 test snort:       Max Chunk Length: 500000
    
27. Sep 28 01:57:48 test snort:       Inspect Pipeline Requests: YES
    
28. Sep 28 01:57:48 test snort:       URI Discovery Strict Mode: NO
    
29. Sep 28 01:57:48 test snort:       Allow Proxy Usage: NO
    
30. Sep 28 01:57:48 test snort:       Disable Alerting: NO
    
31. Sep 28 01:57:48 test snort:       Oversize Dir Length: 500
    
32. Sep 28 01:57:48 test snort:       Only inspect URI: NO
    
33. Sep 28 01:57:48 test snort:       Ascii: YES alert: NO
    
34. Sep 28 01:57:48 test snort:       Double Decoding: YES alert: YES
    
35. Sep 28 01:57:48 test snort:       %U Encoding: YES alert: YES
    
36. Sep 28 01:57:48 test snort:       Bare Byte: YES alert: YES
    
37. Sep 28 01:57:48 test snort:       Base36: OFF
    
38. Sep 28 01:57:48 test snort:       UTF 8: OFF
    
39. Sep 28 01:57:48 test snort:       IIS Unicode: YES alert: YES
    
40. Sep 28 01:57:48 test snort:       Multiple Slash: YES alert: NO
    
41. Sep 28 01:57:48 test snort:       IIS Backslash: YES alert: NO
    
42. Sep 28 01:57:48 test snort:       Directory Traversal: YES alert: NO
    
43. Sep 28 01:57:48 test snort:       Web Root Traversal: YES alert: YES
    
44. Sep 28 01:57:48 test snort:       Apache WhiteSpace: YES alert: YES
    
45. Sep 28 01:57:48 test snort:       IIS Delimiter: YES alert: YES
    
46. Sep 28 01:57:48 test snort:       IIS Unicode Map: GLOBAL IIS UNICODE MAP CONFIG
    
47. Sep 28 01:57:48 test snort:       Non-RFC Compliant Characters:
    
48. Sep 28 01:57:48 test snort: NONE
    
49. Sep 28 01:57:48 test snort:  
    
50. Sep 28 01:57:48 test snort: rpc_decode arguments:
    
51. Sep 28 01:57:48 test snort:     Ports to decode RPC on: 111 32771  
    
52. Sep 28 01:57:48 test snort:     alert_fragments: INACTIVE
    
53. Sep 28 01:57:48 test snort:     alert_large_fragments: ACTIVE
    
54. Sep 28 01:57:48 test snort:     alert_incomplete: ACTIVE
    
55. Sep 28 01:57:48 test snort:     alert_multiple_requests: ACTIVE
    
56. Sep 28 01:57:48 test snort: telnet_decode arguments:

复制代码

abel

complier 時有 enable mysql 嗎 !?
snort.conf 有 mysql 的相關設定嗎 !?
acid 有設對 mysql 嗎 !?

snort -c /etc/snort/snort.conf  全部顯示訊息為何 !?

lnx

谢谢，输出是正常的，如图：

1. 
   
2. Running in IDS mode
   
3. Log directory = /var/log/snort
   
4. 
   
5. Initializing Network Interface eth0
   
6. 
   
7.         --== Initializing Snort ==--
   
8. Initializing Output Plugins!
   
9. Decoding Ethernet on interface eth0
   
10. Initializing Preprocessors!
    
11. Initializing Plug-ins!
    
12. Parsing Rules file /etc/snort/snort.conf
    
13. 
    
14. +++++++++++++++++++++++++++++++++++++++++++++++++++
    
15. Initializing rule chains...
    
16. ,-----------[Flow Config]----------------------
    
17. | Stats Interval:  0
    
18. | Hash Method:     2
    
19. | Memcap:          10485760
    
20. | Rows  :          4099
    
21. | Overhead Bytes:  16400(%0.16)
    
22. `----------------------------------------------
    
23. No arguments to frag2 directive, setting defaults to:
    
24.     Fragment timeout: 60 seconds
    
25.     Fragment memory cap: 4194304 bytes
    
26.     Fragment min_ttl:   0
    
27.     Fragment ttl_limit: 5
    
28.     Fragment Problems: 0
    
29.     Self preservation threshold: 500
    
30.     Self preservation period: 90
    
31.     Suspend threshold: 1000
    
32.     Suspend period: 30
    
33. Stream4 config:
    
34.     Stateful inspection: ACTIVE
    
35.     Session statistics: INACTIVE
    
36.     Session timeout: 30 seconds
    
37.     Session memory cap: 8388608 bytes
    
38.     State alerts: INACTIVE
    
39.     Evasion alerts: INACTIVE
    
40.     Scan alerts: INACTIVE
    
41.     Log Flushed Streams: INACTIVE
    
42.     MinTTL: 1
    
43.     TTL Limit: 5
    
44.     Async Link: 0
    
45.     State Protection: 0
    
46.     Self preservation threshold: 50
    
47.     Self preservation period: 90
    
48.     Suspend threshold: 200
    
49.     Suspend period: 30
    
50. Stream4_reassemble config:
    
51.     Server reassembly: INACTIVE
    
52.     Client reassembly: ACTIVE
    
53.     Reassembler alerts: ACTIVE
    
54.     Zero out flushed packets: INACTIVE
    
55.     flush_data_diff_size: 500
    
56.     Ports: 21 23 25 53 80 110 111 143 513 1433
    
57.     Emergency Ports: 21 23 25 53 80 110 111 143 513 1433
    
58. HttpInspect Config:
    
59.     GLOBAL CONFIG
    
60.       Max Pipeline Requests:    0
    
61.       Inspection Type:          STATELESS
    
62.       Detect Proxy Usage:       NO
    
63.       IIS Unicode Map Filename: /etc/snort/unicode.map
    
64.       IIS Unicode Map Codepage: 1252
    
65.     DEFAULT SERVER CONFIG:
    
66.       Ports: 80 8080 8180
    
67.       Flow Depth: 300
    
68.       Max Chunk Length: 500000
    
69.       Inspect Pipeline Requests: YES
    
70.       URI Discovery Strict Mode: NO
    
71.       Allow Proxy Usage: NO
    
72.       Disable Alerting: NO
    
73.       Oversize Dir Length: 500
    
74.       Only inspect URI: NO
    
75.       Ascii: YES alert: NO
    
76.       Double Decoding: YES alert: YES
    
77.       %U Encoding: YES alert: YES
    
78.       Bare Byte: YES alert: YES
    
79.       Base36: OFF
    
80.       UTF 8: OFF
    
81.       IIS Unicode: YES alert: YES
    
82.       Multiple Slash: YES alert: NO
    
83.       IIS Backslash: YES alert: NO
    
84.       Directory Traversal: YES alert: NO
    
85.       Web Root Traversal: YES alert: YES
    
86.       Apache WhiteSpace: YES alert: YES
    
87.       IIS Delimiter: YES alert: YES
    
88.       IIS Unicode Map: GLOBAL IIS UNICODE MAP CONFIG
    
89.       Non-RFC Compliant Characters: NONE
    
90. rpc_decode arguments:
    
91.     Ports to decode RPC on: 111 32771
    
92.     alert_fragments: INACTIVE
    
93.     alert_large_fragments: ACTIVE
    
94.     alert_incomplete: ACTIVE
    
95.     alert_multiple_requests: ACTIVE
    
96. telnet_decode arguments:
    
97.     Ports to decode telnet on: 21 23 25 119
    
98. database: compiled support for ( mysql )
    
99. database: configured to use mysql
    
100. database:          user = snort
     
101. database: password is set
     
102. database: database name = snortdb
     
103. database:          host = localhost
     
104. database:   sensor name = 192.168.2.2
     
105. database:     sensor id = 1
     
106. database: schema version = 106
     
107. database: using the "log" facility
     
108. 1863 Snort rules read...
     
109. 1863 Option Chains linked into 186 Chain Headers
     
110. 0 Dynamic rules
     
111. +++++++++++++++++++++++++++++++++++++++++++++++++++
     
112. 
     
113. Warning: flowbits key 'realplayer.playlist' is checked but not ever set.
     
114. 
     
115. +-----------------------[thresholding-config]----------------------------------
     
116. | memory-cap : 1048576 bytes
     
117. +-----------------------[thresholding-global]----------------------------------
     
118. | none
     
119. +-----------------------[thresholding-local]-----------------------------------
     
120. | gen-id=1      sig-id=2523      type=Both       tracking=dst count=10  seconds=10
     
121. | gen-id=1      sig-id=2496      type=Both       tracking=dst count=20  seconds=60
     
122. | gen-id=1      sig-id=2495      type=Both       tracking=dst count=20  seconds=60
     
123. | gen-id=1      sig-id=2494      type=Both       tracking=dst count=20  seconds=60
     
124. | gen-id=1      sig-id=2275       type=Threshold tracking=dst count=5   seconds=60
     
125. +-----------------------[suppression]------------------------------------------
     
126. -------------------------------------------------------------------------------
     
127. Rule application order: ->;activation->;dynamic->;alert->;pass->;log
     
128. 
     
129.         --== Initialization Complete ==--
     
130. 
     
131. -*>; Snort! <*-
     
132. Version 2.2.0 (Build 30)
     
133. By Martin Roesch (roesch@sourcefire.com, www.snort.org)
     
134. 然后光标在这里停住

复制代码

我都将snort数据库用户设为GRANT了

platinum

和我的一样
如果你是-l path，则在path里有数据
如果你编译的时候是--with-mysql=/xxx，建立好数据库，应该写到数据库里

我也是没有数据，只有UDP-161（SNMP），其他没有
执行snort后，过一段时间按下ctrl ＋ c，能看到各个协议的百分比，但是数据没有，我怀疑是snort.conf配置不对造成的

lnx

我用的是debian,安装时是直接将apache php4 msyql libpcap snort-mysql等一股脑装上的，后来，昨天晚上的测试的时候将snort用户加了GRANT后得到一点数据，也就是说alert里面有一小点内容，但现在不管怎么扫描，怎么弄都没了，都没了。如果我不将数据写进数据库，那可以syslog里面看得到。

platinum

我是在REDHAT里面，所有插件都是编译安装的
其中包括
acid-0.9.6b23.tar.gz
adodb452.tgz
jpgraph-1.17-beta.tar.gz
pcre-4.3.tar.bz2
snort-2.2.0.tar.gz

lnx

我按这里面http://www.snort.org/docs/faq.html#6.15的FAQ配置过后，能够有一些数据进mysql了，但有时又没有（snort是正常的，可是ACID就是不出日志） 使用-l path是有一个以IP命名的数据，但一写进数据库却什么也没有，日志又看不出有什么错误
虽然知道是与mysql相关，但又不知道真正问题在哪，真郁闷

platinum

output database: alert, mysql
这个你设置的是alert还是log
如果用log，可能数据会更多一些