Hello,
I cannot run Snort with trafr using this code:
sudo trafr -s | snort -u snort -g snort -c /etc/snort/snort.conf -l /var/log/snort/ -r -
I get an ERROR: cannot set gid:1003:
pcap DAQ configured to read-file.
Acquiring network traffic from "stdin".
Reload thread starting...
Reload thread started, thread 0x86a23b40 (4109)
WARNING: active responses disabled since DAQ can't inject packets.
ERROR: Cannot set gid: 1003
Fatal Error, Quitting..
Please, how can I run trafr and Snort? Should I attach the /etc/snort/snort.conf file?
However, when i run snort without trafr:
sudo /usr/local/bin/snort -A console -q -u snort -g snort -c /etc/snort/snort.conf -i eth0
it runs, but it does not capture the sniffed packets encapsulated in TZSP, only test sent direcly to 192.168.80.20 (my Snort server IP). I just want to test, if my Snort IDS is capturing the traffic from my LAN with my /etc/snort/snort.conf file and the rules in it. Run a sample DDoS attack to another pc in my LAN. I can’t get trafr and snort run at the same time with registered snort user rules and specified log path
I am a college student and I need to test the snort for my project with MikroTik but I can’t get it work. I used these sources:
http://wiki.mikrotik.com/wiki/Mikrotik_IPS_IDS
http://forum.mikrotik.com/t/mikrotik-router-os-routerboard-and-snort-ids-ips/53884/1
My MikroTik is sniffing to my Ubuntu 14.03 server 192.168.80.20. I installed Snort on this device using this guide (section 8-12):
https://s3.amazonaws.com/snort-org-site/production/document_files/files/000/000/090/original/Snort_2.9.8.x_on_Ubuntu_12-14-15.pdf?AWSAccessKeyId=AKIAIXACIED2SPMSC7GA&Expires=1463002425&Signature=T%2B5f9ZvOsQHh1ND%2FqdMKxh2XD1k%3D
Did I made any mistakes during the instalation described in the pdf file?
MikroTik is sniffing using this code:
/ip firewall calea add action=sniff chain=forward sniff-target=192.168.0.2 sniff-target-port=37008
/ip firewall calea add action=sniff chain=input sniff-target=192.168.0.2 sniff-target-port=37008
Okay, I adjusted the permisions for /var/log/snort/ and I initialize the Snort with either one of these two commands, the outcome is the same:
sudo trafr -s | snort -c /etc/snort/snort.conf -i eth0 -l /var/log/snort/ -r -
#or
sudo trafr -s | snort -A console -c /etc/snort/snort.conf -i eth0 -l /var/log/snort/ -r -
pcap DAQ configured to read-file.
Acquiring network traffic from "stdin".
Reload thread starting...
Reload thread started, thread 0x86a44b40 (2823)
WARNING: active responses disabled since DAQ can't inject packets.
--== Initialization Complete ==--
,,_ -*> Snort! <*-
o" )~ Version 2.9.8.2 GRE (Build 335)
'''' By Martin Roesch & The Snort Team: http://www.snort.org/contact#team
Copyright (C) 2014-2015 Cisco and/or its affiliates. All rights reserved.
Copyright (C) 1998-2013 Sourcefire, Inc., et al.
Using libpcap version 1.5.3
Using PCRE version: 8.31 2012-07-06
Using ZLIB version: 1.2.8
Rules Engine: SF_SNORT_DETECTION_ENGINE Version 2.6 <Build 1>
Preprocessor Object: SF_SMTP Version 1.1 <Build 9>
Preprocessor Object: SF_GTP Version 1.1 <Build 1>
Preprocessor Object: SF_MODBUS Version 1.1 <Build 1>
Preprocessor Object: SF_SSLPP Version 1.1 <Build 4>
Preprocessor Object: SF_SSH Version 1.1 <Build 3>
Preprocessor Object: SF_DNP3 Version 1.1 <Build 1>
Preprocessor Object: SF_FTPTELNET Version 1.2 <Build 13>
Preprocessor Object: SF_REPUTATION Version 1.1 <Build 1>
Preprocessor Object: SF_DNS Version 1.1 <Build 4>
Preprocessor Object: SF_IMAP Version 1.0 <Build 1>
Preprocessor Object: SF_POP Version 1.0 <Build 1>
Preprocessor Object: SF_DCERPC2 Version 1.0 <Build 3>
Preprocessor Object: SF_SDF Version 1.1 <Build 1>
Preprocessor Object: SF_SIP Version 1.1 <Build 1>
Commencing packet processing (pid=2821)
But I stuck at “Commencing packet processing” and when I hit Ctrl+C after a while, I get “Can’t acquire (-1) - error reading dump file: Interrupted system call!”
Snort doesn’t write anything in the /var/log/snort/snort.u2.* and I don’t see any traffic even when I add “-A console”
How can I see the traffic in my network?
I have two set of rules which I switch to test the Snort. One set of rules is from Snort website for registered users and the other one is mine testing containing one simple rule for any ping (ICMP) to check if I receive anything. So far I am using the second set (any ping), but when I ping the server I don’t see anything and Snort doesn’t write anything even when I add the “-A console”
The reason you’re getting that error is that you cannot hit Ctrl+C - that ends the program.
trafr -s apparently listens on the UDP port mentioned in the article, and then strips the tunnel header and dumps the packet to standard-out
Namely, you are using this other piece of software to simulate a network device, and streaming the results to standard out, then redirecting that to the standard-in of the snort program. (that’s what the final - does).
So when you hit ctrl+c - you are halting the execution of trafr, which closes the pipe and then Snort gets mad because it lost its input source.
Note that the article writer mentions that you either need to leave it logged on the console, or else run it in a session with a utility like screen.
Screen will let you detatch a virtual terminal from your login session so that it can continue running even after you log off from the system.
Also note that the author suggests that you test the traffr / Mikrotik sniffer portion of the solution by piping trafr into tcpdump first - which simply dumps everything it’s receiving onto the screen so that you can confirm that you’re receiving packets.
If you are, then you can focus the troubleshooting on snort itself.