• Support
  • Forums
  • Blogs

Help configuring snort


Big Time
Hi all,
I am going insane trying to figure out how to get snort to work on OSSIM 4.3. I have a fresh install with 4 interfaces:
eth0: external management interface
eth1: promisc interface connected to vlan1
eth2: promisc interface connected to vlan2
eth3: internal interface for OSSEC communication to hosts on vlan1 & 2
eth1 & 2 have been configured in /etc/network/interfaces as follows:
auto eth1
iface eth1 inet manual
        up ifconfig $IFACE up
        up ifconfig $IFACE promisc
        down ifconfig down
running snort -i eth1 I can sniff traffic on vlan1 hosts, same goes for eth2/vlan2.

Out of the box ps aux | grep snort returned no running processes but somehow snort was sniffing on eth0 and added a few Dropbox broadcast events to the framwork.

To use my promisc interfaces I made the following changes in Alienvault Setup menu:
2. Configure sensor
   0. Select Listening interfaces (promisc mode): eth1 & eth2
   3. Monitored networks (added vlan1 & 2 network addresses):,
   4. Select Data Sources: selected snort_syslog snortunified
7. Apply changes

I then rebooted the SIEM.

ps auxww | grep snort now returns:
/usr/sbin/snort_eth2 -m 027 -D -d --daq-dir=/usr/lib/daq --daq pfring --daq-mode passive -l /var/log/snort -u root -g snort -c /etc/snort/snort.eth2.conf -S HOME_NET=[,] -i eth2

/usr/sbin/snort_eth1 -m 027 -D -d --daq-dir=/usr/lib/daq --daq pfring --daq-mode passive -l /var/log/snort -u root -g snort -c /etc/snort/snort.eth1.conf -S HOME_NET=[,] -i eth1

I have a webserver with a purposely vulnerbale webapp(Wavsep) on vlan2 ( After trying sqli, rfi,lfi,xss .... I get no events in the OSSIM framework. OSSEC on the other hand goes crazy. I have also tried disabling OSSEC but snort does not trigger.
I have also tried nmap -Pn -p 445 ip  repeatedly from a server in vlan1 to vlan2 to see if I could trigger a snort rule. No luck there either.

Both tcpdump -i ethx & snort -i ethx receive the packets but no events or snort rules are triggered.

/var/log/snort looks like this:
-rw-r-----  1 root  adm     0 Sep  1 16:36 snort_eth1.1378046180
-rw-r-----  1 root  adm     0 Sep  1 16:51 snort_eth1.1378047089
-rw-r-----  1 root  adm     0 Sep  1 17:03 snort_eth1.1378047783
-rw-r-----  1 root  adm     0 Sep  1 16:36 snort_eth2.1378046176
-rw-r-----  1 root  adm     0 Sep  1 16:50 snort_eth2.1378047015
-rw-r-----  1 root  adm     0 Sep  1 17:02 snort_eth2.1378047779

It seems to create the files but they are empty.

Does anyone know what I am doing wrong?
Cheers for the help.

Share post:

This discussion has been closed.