Tips and Tricks: Troubleshooting Snort

Whether you’re tuning an existing Snort instance or just finished a new installation, there’s a common question that may soon follow: “Why I aren’t I seeing any events?

If this is the case with your Snort instance, there are a few basics to check.

Starting Snort
In many cases Snort is started with a script as opposed to a manual command that includes “-D” to start it in daemon mode, but such scripts don’t help in the troubleshooting process. 

1. Check if Snort is running or if the script has been executed with a simple grep command:

ps aux | grep snort

2. If Snort is running, take note of the command displayed that was either executed manually or by a script, and then stop or kill the process.

3. Enter that long-hand command to start Snort (snort -c /etc/snort/snort.conf -i eth1, for example) in the foreground or continuous mode, making sure to omit the -D so the process is not started in daemon mode.

If there are any issues with Snort, they will be specifically noted and generally Snort will fail to start because of a fatal error. 

If Snort successfully starts, you’ll see its final line stating “Commencing packet processing (pid=xxxxxxx).” If this is the case, kill the process and move on to Log Files. If you get an error, resolve it and start Snort again in the same manner until there are no errors. Errors generally revolve around signatures (bad or incompatible signatures that kill Snort), missing file or rules directories, or something related to the snort.conf. Once your error is resolved and Snort starts successfully, kill the process and move on to Log Files.

Log Files
Every time Snort starts it will or should create a new log file. These files are generally named merged.log or snort.alert, and are located in /var/log/snort, but of course precise names and locations will differ depending on your setup.

You can confirm Snort successfully created its log file when you just started it in the last step, and also check for previous log files and their sizes with a simple list command:

ls -la /var/log/snort

You should see at least one log file, and more than likely its size (or at least the most recent log file) will be zero, and that’s fine since Snort only ran for a few moments. But checking this directory with that command is very helpful in first ensuring log files are being created, and secondly determining if those log files are growing in size. 

If log files are being created and not growing in size after Snort has been running in daemon mode for some time, there could be issues with the configuration file, the signatures, or the traffic feed.

Configuration File
While Snort can be a complex tool, we aim to keep things simple. With a new installation of Snort, we make the following changes to its configuration file:

Provide the paths to the rules:

var RULE_PATH /etc/snort/rules

var SO_RULE_PATH /etc/snort/so_rules

var PREPROC_RULE_PATH /etc/snort/preproc_rules

var WHITE_LIST_PATH /etc/snort/rules

var BLACK_LIST_PATH /etc/snort/rules

2. Uncomment the “output unified2” line and remove “nostamp”:

output unified2: filename merged.log, limit 128, mpls_event_types, vlan_event_types

3. In “Step #7” of the configuration file you’ll find a listing of rule categories that will be enabled when Snort starts:

# Step #7: Customize your rule set
# For more information, see Snort Manual, Writing Snort Rules
# NOTE: All categories are enabled in this conf file

# site specific rules

include $RULE_PATH/app-detect.rules
include $RULE_PATH/local.rules
include $RULE_PATH/browser-chrome.rules
include $RULE_PATH/browser-other.rules

These categories may be missing or commented out, in which case when Snort starts it will run with few or no signatures, resulting in few to no events and small to zero log file sizes. Make and save any necessary changes to the configuration file, and move on to Signatures.

Being a signature-based IDS tool, Snort will require enabled and current signatures to generate events. While too few signatures may result in few to no events, too many signatures enabled can result in not only too many events but an overloaded Snort sensor, an overcrowded Aanval dashboard—consisting of largely informational/nuisance events—and perhaps overworked database and/or hardware running the sensor.

Investigate the various rule categories in your /rules directory and make sure standard and especially critical signatures are enabled. For testing purposes, you can enable the signatures found in the protocol-icmp.rules directory, start Snort in daemon mode, and then ping the Snort box from an alternate IP. Keep in mind that these ICMP signatures aren’t generally kept enabled in active or production environments, and once tests are concluded it’s recommended to disable these signatures.

Traffic Feed
It’s lastly critical that the interface Snort is monitoring is actually generating real traffic. Snort commonly monitors the span/mirror port of a switch. Confirming the interface to be monitored from the long-hand command to start Snort (snort -c /etc/snort/snort.conf -i eth1, for example) and that the interface is active (ifconfig), you can use tcpdump to scan the interface for traffic with a basic command:

tcpdump -nn -i eth1 (or the interface to be scanned)

If you aren’t seeing anything or simply ARP or basic traffic, you may need to check the feed and interface. But once confirmed that there is more happening than basics and ARP, the interface Snort is to monitor should be solid.

Having completed this list of basic steps and checks, and making any necessary changes, you should be good to start your Snort instance(s) in daemon mode and begin to see log files created and growing, and events flowing into Aanval.

Quick Support: “None of my sensor’s events are showing in Aanval.”

After getting Aanval installed, set up, and sensors connected, users sometimes ask: “Why aren’t I seeing any events?”

Not a problem. Aanval 8 is loaded with new security and analytical tools. If you aren’t seeing your sensor’s events, first go to the Configuration Menu and select the proper import module (Unified2 Module, MySQL Module, Syslog Module). Under each module you’ll find Sensor Configuration.


After going to Sensor Configuration, choose the sensor in question. At the bottom of the menu you’ll see Sensor Permissions. These options allow admins to securely limit access to active sensors. When a box is unchecked for a given user, that user will not be able to view or manage event data for that sensor.


Make sure the chosen sensor’s Sensor Permissions are enabled for the desired user.

Aanval 8 further allows users to quickly filter sensor data on any menu, so that, for example, when viewing Frequent Offenders on the Charts menu, users can disable the view of certain sensors to focus on particular areas of the network, while sensor importing and functionality remains active in the background, just out of view.

Once Sensor Permissions are enabled, hover over the name of the logged-in user to view the drop-down menu and select Change Sensors View.


Once selected, all sensors that are both active and have the Sensor Permissions enabled for that logged-in user will be displayed. Check the box of each sensor for which you want to view and manage event data.


Once sensors are checked, event data will be immediately displayed. If after taking these steps you still do not see event data, start with making sure your sensors are active, properly logging in the Unified2 or syslog formats, depending on which sensor you’re troubleshooting, and that sensors are properly connected to Aanval.

Writing Regex with Aanval 8

Aanval and Syslog Data

While Aanval can import IDS logs from sources like Snort and Suricata, it can also import from any source outputting in a syslog format, and have available to both IDS and syslog formats the same powerful management tools, such as reporting, alerting, and correlation. This opens the gate to hundreds of vendors, products, and devices that can easily send data to Aanval for syslog processing.

Importing Syslog Data

Syslog data can be imported to Aanval by two methods: directly sending the data over UDP port 514 to Aanval’s own syslog server, or have Aanval fetch the event data from a file.

Screen Shot 2016 07 14 at 3 13 42 PM

Regex Filters

Once syslog sensors are configured and event data starts being imported, users then need to write regex based filters to parse specific data from their logs, such as the source IP or port. Below is a listing of all the values Aanval can parse:

* Date
* Time
* Protocol
* Source Address
* Destination Address
* Risk Level
* Source Port
* Destination Port
* Payload
* Event Name
* Category Name

Screen Shot 2016 07 14 at 3 13 19 PM

Aanval 8 makes it especially easier to write advanced regex filters. Aanval now includes its own regex tester, so now you can quickly see the match results of your regex, without having to externally test or wait for results. Aanval further includes advanced capabilities to join two different regex to be used as one. For example, we may use the following regex to search for and grab everything that follows “src=“ in an attempt to grab the source port where the actual port number is attached to the source address (src=


While this regex would grab the source port, it also grabs everything that follows, which might then include additional details we don’t want for this value, and we still haven’t identified the actual port number or parsed it. By adding a double tilde (~~) to the end of our first regex, we can add a second regex that will then search for and grab what we want from what the smaller portion following “src=“ that was just grabbed:


This second expression now searches for the first colon and grabs the number, despite its length, that immediately follows; thus, identifying and parsing the desired source port. Our entire regex would then look like and be entered into Aanval as follows:


These advanced regex working and testing tools have enabled users to quickly set up their syslog sensors and parse the exact details they need to then have their syslog data appear and work as their IDS data. This then makes searching easier, reports more detailed, and the overall network visibility stronger and clearer.

Screen Shot 2016 07 14 at 3 12 44 PM

See Also

* Aanval Wiki: Syslog Sensor Configuration
* Aanval Wiki: Syslog Filter Assignment

Sensor Filtering with Aanval 8

Aanval 8 Sensor Filtering

New to Aanval 8 is an all-new system for quickly filtering data based on sensors. For example, while viewing Frequent Events, a user can filter the view to focus on a single sensor or group of sensors by quickly disabling the view of other active sensors. While event importing and processing for disabled/filtered sensors continues in the background, event and analytical tools calculate and display data from only selected/unfiltered sensors. As filtered sensors are again checked or enabled, displays quickly and automatically update to account for the additional sensors and data.

How to Filter a Sensor

Hover over the name of the logged-in user in the upper right-hand corner, and a listing of options will show in a drop-down box.

Screen Shot 2016 06 28 at 3 57 17 PM

Select Change Sensors View and a box will be displayed of sensors that have been set up and enabled on their respective Sensor Configuration pages. Check or uncheck sensors to change the data view on any menu. And because the Change Sensors View is part of the menu bar, it’s available to access on any page, allowing you to quickly make changes and get the focus and data you need.

Screen Shot 2016 06 28 at 3 57 21 PM


Checking the Change Sensors View is the first menu to check when users setting new sensors question why they aren’t seeing events or sensors after just setting them up. Sensors do not automatically enable in this menu after being added to Aanval in a Sensor Configuration menu.

If the Change Sensors View is blank after adding new sensors, go back to the proper Sensor Configuration menu and check the User Permissions at the bottom of the page to ensure each user has intended access to each sensor. Once updated, refresh the page and select the Change Sensors View menu again and the new sensors will be available to check.

Upcoming Webinar on June 15th: Tactical FLEX, Inc. Debuts Aanval 8


Wed, Jun 15, 2016 7:00 AM – 7:30 AM PDT

Come join us and discover the excitement of Aanval 8 and find how to monitor every aspect of your network environment without breaking the bank! This upcoming webinar will provide an overview of Aanval 8 and cover a few selected features and enhancements including an all-new HTML5 look and feel, direct Unified2 IDS event importing, threat level displays and global heat maps, automation and reporting systems, and syslog enhancement. Learn why Aanval 8 is the complete end-to-end security solution for your IDS and syslog data.

Register Here

Screen Shot 2016 06 09 at 1 21 04 PM

Tactical FLEX, Inc. Advances Best Performing IDS with Debut of Aanval 8

An Unparalleled End-to-End SIEM-Based Snort, Suricata, and Syslog IDS Solution

Seattle, May 31, 2016 /PRNewswire/ – Tactical FLEX, Inc., a global leader of information security, vulnerability, and risk management software solutions, today announced the debut of Aanval 8, the latest version of its market-leading IDS and SIEM platform. Tactical FLEX, Inc. continues to set a new bar and advances Aanval 8 with performance upgrades, enhanced threat detection, and a host of new features designed to deliver complete security visibility, real-time monitoring, and situational awareness.

Budget constraints are one of the main obstacles that challenge information security operations. Tactical FLEX, Inc. understands that all organizations need a comprehensive, scalable, and affordable real-time threat management solution that gives IT departments the technological power and operational efficiency to accelerate the accurate detection of security threats as well as pinpoint security risks in order to safeguard critical assets while maintaining regulatory compliance. Aanval 8 is designed and priced to deliver affordable enterprise-class security for all business sizes.

A few selected features and enhancements in Aanval 8:

* All-New HTML5 Look and Feel: A complete re-write of nearly the entire code-base to make it our most stable and advanced version of Aanval yet.

* Direct Unified2 IDS Event Importing: Getting Barnyard2 working with IDS engines has been a major headache in the IDS community, along with its lack of IPv6 support. With Aanval 8, users can import and manage IDS event data, including IPv6 addresses, directly from Snort or Suricata by way of Aanval’s new and advanced Sensor Management Tools (SMTs). Alternate use importing with Barnyard2 and a MySQL database are still supported but not required.

* Threat Level Displays and Global Heat Maps: Visual Heat Maps technology, along with improved GeoLocation and brilliant customizable dashboards, are aimed to help users pinpoint and translate security issues and risks for upper management with contextual views replacing pointless charts and manual spreadsheets.

* Automation and Reporting Systems: Many security departments consist of one or two admins trying to stay on top of security threats and manage logs and reports. Aanval 8 delivers the necessary automation and operational efficiency for security pros. Quickly and easily create or modify any number of automated tasks for alerts and event management. Custom on-demand and scheduled reports provide clear results with helpful graphs and displays.

* Syslog Enhancements: Aanval 8 adds increased speed and capacity for retrieving and filtering large amounts of syslog data sent by various network devices. Also included is a new regex testing tool designed specifically for Aanval’s advanced syslog filtering logic.

Details of Aanval 8 are available at Aanval software, hardware, support, and training services may be purchased at Aanval may be downloaded for testing and evaluation. Follow Aanval on Twitter @Aanval.

About Tactical FLEX, Inc.

Tactical FLEX, Inc. is a privately owned software development firm based in Washington state, specializing in information security research, engineering, technology design, and production. For over a decade, Tactical FLEX, Inc. has taken great pride in providing best-of-breed security solutions to every type of organization around the world including government security, defense organizations, financial services, energy companies, educational institutions, healthcare organizations, and many others. As a trusted security vendor, there are over 6,000 customers worldwide that rely upon Aanval as part of their security infrastructure. Please visit for more information.

Aanval 8 Is Here!

Aanval 8 is a major update and it’s packed with new and upgraded features:


  • An all-new HTML5 look and feel. Responsive. Faster.
  • Directly import Unified2 logs from Snort and Suricata. Barnyard2 is not required but still supported.
  • IPv6 support
  • Global Heat Maps and Improved GeoLocation
  • Improved syslog importing and new regex testing
  • Improved reports
  • Much more!

Check out for full details and other valuable documents:

We’re very excited about this release and want to make sure everyone has a chance to use Aanval 8. Download now at It comes with a license to test with a single IDS sensor and a single syslog sensor.

We have an Aanval solution for every environment. Each package includes an unlimited sensor-monitoring license, support, and console maintenance, so you’ll always have access to the latest features, fixes, and major version releases. From Aanval Small Business and Standard, to Enterprise, we have you covered.

Aanval Support Q&A: Expired Console and I Can’t Log In

Q: I tried opening Aanval on my browser, but I received a message saying the license has expired and my console is locked. I know the license is still valid. What’s happening?

A: If you’re having this or any login issue, the root of it generally stems from the connection to MySQL, since Aanval retrieves login and license information from the Aanval MySQL database.

Remedy: Make sure MySQL is up and running and the connection is solid. What we sometimes see is that MySQL is down because the disk is full. You may try connecting via another host or method to ensure MySQL is accessible. 

Once MySQL is back online, navigate to Aanval as you normally would and log in.

If you’re still receiving an Expired message, enter the address to Aanval in the browser and add the following to the end of the URL:


This will take you directly to the login screen. In some cases the license really has expired. If that is the case, not a problem; all the data is intact and the console simply needs an updated license key. This login method will allow you to log in and navigate to License Management and update the license. If you’re still having issues, there may be further issues with the disk or database or login credentials. For further questions or issues, check out our Troubleshooting Guide at our Aanval Wiki, or contact Support. 

Aanval Support Q&A: Aanval Installation Issue: Can’t Connect to MySQL?

Q: During the web-based portion of the Aanval installation, I get to a menu where I enter the location of the aanvaldb and the credentials to access it, but upon submitting them I get a few errors and I can’t proceed. I can connect to MySQL on the command line and confirm it’s running and the credentials are correct. What’s going on?

Install Error

A: Aanval connects to MySQL with the default port of 3306. If these errors display, it is because the MySQL instance is started and accessible only by port 3307 (used in SSL connections).

There are two methods to remedy the error. The first is to locate and edit the script or plist that starts MySQL and update the line which would read something similar to <string>–port=3307</string> to read <string>–port=3306</string> and then restart MySQL.

The other method would be to return to the configuration menu on the browser and when entering the location of the Aanval database enter also the specific port. So in the example of a local installation, you’d enter

Aanval Support Q&A: Aanval Installation Issue: Missing Modules?

Q: I downloaded and untarred Aanval according to the guide provided ( and installed all prerequisites, but after I point my browser to the Aanval location and accept the EULA, I get an error noting that MySQL is missing. I show that MySQL is installed and running. Can you help? I’m using CentOS 6 on a VM.

A: That step is an Environmental Test in which all necessary PHP modules and directory structures and permissions are searched and tested. Your results show that not MySQL but the PHP MySQL module is missing. It’s a very simple fix.

First, install that module:

yum install php-mysql

Second, restart Apache:

apachectl restart

Third, while on the browser, click the Retest option at the bottom of the page showing the Environmental Test results (you can also completely restart the web-based portion of the install by directing a new browser window to the Aanval location). The test will now confirm that module is installed and you can continue to the next step of pointing Aanval to the location of the aanval database so that Aanval can automatically build its structure and tables, and then log in.