Tips and Tricks: Troubleshooting Snort

Whether you’re tuning an existing Snort instance or just finished a new installation, there’s a common question that may soon follow: “Why I aren’t I seeing any events?

If this is the case with your Snort instance, there are a few basics to check.

Starting Snort
In many cases Snort is started with a script as opposed to a manual command that includes “-D” to start it in daemon mode, but such scripts don’t help in the troubleshooting process. 

1. Check if Snort is running or if the script has been executed with a simple grep command:

ps aux | grep snort

2. If Snort is running, take note of the command displayed that was either executed manually or by a script, and then stop or kill the process.

3. Enter that long-hand command to start Snort (snort -c /etc/snort/snort.conf -i eth1, for example) in the foreground or continuous mode, making sure to omit the -D so the process is not started in daemon mode.

If there are any issues with Snort, they will be specifically noted and generally Snort will fail to start because of a fatal error. 

If Snort successfully starts, you’ll see its final line stating “Commencing packet processing (pid=xxxxxxx).” If this is the case, kill the process and move on to Log Files. If you get an error, resolve it and start Snort again in the same manner until there are no errors. Errors generally revolve around signatures (bad or incompatible signatures that kill Snort), missing file or rules directories, or something related to the snort.conf. Once your error is resolved and Snort starts successfully, kill the process and move on to Log Files.

Log Files
Every time Snort starts it will or should create a new log file. These files are generally named merged.log or snort.alert, and are located in /var/log/snort, but of course precise names and locations will differ depending on your setup.

You can confirm Snort successfully created its log file when you just started it in the last step, and also check for previous log files and their sizes with a simple list command:

ls -la /var/log/snort

You should see at least one log file, and more than likely its size (or at least the most recent log file) will be zero, and that’s fine since Snort only ran for a few moments. But checking this directory with that command is very helpful in first ensuring log files are being created, and secondly determining if those log files are growing in size. 

If log files are being created and not growing in size after Snort has been running in daemon mode for some time, there could be issues with the configuration file, the signatures, or the traffic feed.

Configuration File
While Snort can be a complex tool, we aim to keep things simple. With a new installation of Snort, we make the following changes to its configuration file:

Provide the paths to the rules:

var RULE_PATH /etc/snort/rules

var SO_RULE_PATH /etc/snort/so_rules

var PREPROC_RULE_PATH /etc/snort/preproc_rules

var WHITE_LIST_PATH /etc/snort/rules

var BLACK_LIST_PATH /etc/snort/rules

2. Uncomment the “output unified2” line and remove “nostamp”:

output unified2: filename merged.log, limit 128, mpls_event_types, vlan_event_types

3. In “Step #7” of the configuration file you’ll find a listing of rule categories that will be enabled when Snort starts:

###################################################
# Step #7: Customize your rule set
# For more information, see Snort Manual, Writing Snort Rules
#
# NOTE: All categories are enabled in this conf file
###################################################

# site specific rules

include $RULE_PATH/app-detect.rules
include $RULE_PATH/local.rules
include $RULE_PATH/browser-chrome.rules
include $RULE_PATH/browser-other.rules

These categories may be missing or commented out, in which case when Snort starts it will run with few or no signatures, resulting in few to no events and small to zero log file sizes. Make and save any necessary changes to the configuration file, and move on to Signatures.

Signatures
Being a signature-based IDS tool, Snort will require enabled and current signatures to generate events. While too few signatures may result in few to no events, too many signatures enabled can result in not only too many events but an overloaded Snort sensor, an overcrowded Aanval dashboard—consisting of largely informational/nuisance events—and perhaps overworked database and/or hardware running the sensor.

Investigate the various rule categories in your /rules directory and make sure standard and especially critical signatures are enabled. For testing purposes, you can enable the signatures found in the protocol-icmp.rules directory, start Snort in daemon mode, and then ping the Snort box from an alternate IP. Keep in mind that these ICMP signatures aren’t generally kept enabled in active or production environments, and once tests are concluded it’s recommended to disable these signatures.

Traffic Feed
It’s lastly critical that the interface Snort is monitoring is actually generating real traffic. Snort commonly monitors the span/mirror port of a switch. Confirming the interface to be monitored from the long-hand command to start Snort (snort -c /etc/snort/snort.conf -i eth1, for example) and that the interface is active (ifconfig), you can use tcpdump to scan the interface for traffic with a basic command:

tcpdump -nn -i eth1 (or the interface to be scanned)

If you aren’t seeing anything or simply ARP or basic traffic, you may need to check the feed and interface. But once confirmed that there is more happening than basics and ARP, the interface Snort is to monitor should be solid.

Having completed this list of basic steps and checks, and making any necessary changes, you should be good to start your Snort instance(s) in daemon mode and begin to see log files created and growing, and events flowing into Aanval.

Sensor Filtering with Aanval 8

Aanval 8 Sensor Filtering

New to Aanval 8 is an all-new system for quickly filtering data based on sensors. For example, while viewing Frequent Events, a user can filter the view to focus on a single sensor or group of sensors by quickly disabling the view of other active sensors. While event importing and processing for disabled/filtered sensors continues in the background, event and analytical tools calculate and display data from only selected/unfiltered sensors. As filtered sensors are again checked or enabled, displays quickly and automatically update to account for the additional sensors and data.

How to Filter a Sensor

Hover over the name of the logged-in user in the upper right-hand corner, and a listing of options will show in a drop-down box.

Screen Shot 2016 06 28 at 3 57 17 PM

Select Change Sensors View and a box will be displayed of sensors that have been set up and enabled on their respective Sensor Configuration pages. Check or uncheck sensors to change the data view on any menu. And because the Change Sensors View is part of the menu bar, it’s available to access on any page, allowing you to quickly make changes and get the focus and data you need.

Screen Shot 2016 06 28 at 3 57 21 PM

Troubleshooting

Checking the Change Sensors View is the first menu to check when users setting new sensors question why they aren’t seeing events or sensors after just setting them up. Sensors do not automatically enable in this menu after being added to Aanval in a Sensor Configuration menu.

If the Change Sensors View is blank after adding new sensors, go back to the proper Sensor Configuration menu and check the User Permissions at the bottom of the page to ensure each user has intended access to each sensor. Once updated, refresh the page and select the Change Sensors View menu again and the new sensors will be available to check.

Tactical FLEX, Inc. Advances Best Performing IDS with Debut of Aanval 8

An Unparalleled End-to-End SIEM-Based Snort, Suricata, and Syslog IDS Solution

Seattle, May 31, 2016 /PRNewswire/ – Tactical FLEX, Inc., a global leader of information security, vulnerability, and risk management software solutions, today announced the debut of Aanval 8, the latest version of its market-leading IDS and SIEM platform. Tactical FLEX, Inc. continues to set a new bar and advances Aanval 8 with performance upgrades, enhanced threat detection, and a host of new features designed to deliver complete security visibility, real-time monitoring, and situational awareness.

Budget constraints are one of the main obstacles that challenge information security operations. Tactical FLEX, Inc. understands that all organizations need a comprehensive, scalable, and affordable real-time threat management solution that gives IT departments the technological power and operational efficiency to accelerate the accurate detection of security threats as well as pinpoint security risks in order to safeguard critical assets while maintaining regulatory compliance. Aanval 8 is designed and priced to deliver affordable enterprise-class security for all business sizes.

A few selected features and enhancements in Aanval 8:

* All-New HTML5 Look and Feel: A complete re-write of nearly the entire code-base to make it our most stable and advanced version of Aanval yet.

* Direct Unified2 IDS Event Importing: Getting Barnyard2 working with IDS engines has been a major headache in the IDS community, along with its lack of IPv6 support. With Aanval 8, users can import and manage IDS event data, including IPv6 addresses, directly from Snort or Suricata by way of Aanval’s new and advanced Sensor Management Tools (SMTs). Alternate use importing with Barnyard2 and a MySQL database are still supported but not required.

* Threat Level Displays and Global Heat Maps: Visual Heat Maps technology, along with improved GeoLocation and brilliant customizable dashboards, are aimed to help users pinpoint and translate security issues and risks for upper management with contextual views replacing pointless charts and manual spreadsheets.

* Automation and Reporting Systems: Many security departments consist of one or two admins trying to stay on top of security threats and manage logs and reports. Aanval 8 delivers the necessary automation and operational efficiency for security pros. Quickly and easily create or modify any number of automated tasks for alerts and event management. Custom on-demand and scheduled reports provide clear results with helpful graphs and displays.

* Syslog Enhancements: Aanval 8 adds increased speed and capacity for retrieving and filtering large amounts of syslog data sent by various network devices. Also included is a new regex testing tool designed specifically for Aanval’s advanced syslog filtering logic.

Details of Aanval 8 are available at https://www.aanval.com/aanval. Aanval software, hardware, support, and training services may be purchased at https://www.aanval.com/purchase. Aanval may be downloaded for testing and evaluation. Follow Aanval on Twitter @Aanval.

About Tactical FLEX, Inc.

Tactical FLEX, Inc. is a privately owned software development firm based in Washington state, specializing in information security research, engineering, technology design, and production. For over a decade, Tactical FLEX, Inc. has taken great pride in providing best-of-breed security solutions to every type of organization around the world including government security, defense organizations, financial services, energy companies, educational institutions, healthcare organizations, and many others. As a trusted security vendor, there are over 6,000 customers worldwide that rely upon Aanval as part of their security infrastructure. Please visit https://www.aanval.com for more information.

Aanval 8 Is Here!

Aanval 8 is a major update and it’s packed with new and upgraded features:

AanvalHome

  • An all-new HTML5 look and feel. Responsive. Faster.
  • Directly import Unified2 logs from Snort and Suricata. Barnyard2 is not required but still supported.
  • IPv6 support
  • Global Heat Maps and Improved GeoLocation
  • Improved syslog importing and new regex testing
  • Improved reports
  • Much more!
AanvalReports
AanvalGeoLocation

Check out Aanval.com for full details and other valuable documents:

We’re very excited about this release and want to make sure everyone has a chance to use Aanval 8. Download now at aanval.com/download. It comes with a license to test with a single IDS sensor and a single syslog sensor.

We have an Aanval solution for every environment. Each package includes an unlimited sensor-monitoring license, support, and console maintenance, so you’ll always have access to the latest features, fixes, and major version releases. From Aanval Small Business and Standard, to Enterprise, we have you covered.

Aanval Support Q&A: Expired Console and I Can’t Log In

Q: I tried opening Aanval on my browser, but I received a message saying the license has expired and my console is locked. I know the license is still valid. What’s happening?

A: If you’re having this or any login issue, the root of it generally stems from the connection to MySQL, since Aanval retrieves login and license information from the Aanval MySQL database.

Remedy: Make sure MySQL is up and running and the connection is solid. What we sometimes see is that MySQL is down because the disk is full. You may try connecting via another host or method to ensure MySQL is accessible. 

Once MySQL is back online, navigate to Aanval as you normally would and log in.

If you’re still receiving an Expired message, enter the address to Aanval in the browser and add the following to the end of the URL:

/?op=pub_login

This will take you directly to the login screen. In some cases the license really has expired. If that is the case, not a problem; all the data is intact and the console simply needs an updated license key. This login method will allow you to log in and navigate to License Management and update the license. If you’re still having issues, there may be further issues with the disk or database or login credentials. For further questions or issues, check out our Troubleshooting Guide at our Aanval Wiki, or contact Support. 

Aanval Support Q&A: Aanval Installation Issue: Can’t Connect to MySQL?

Q: During the web-based portion of the Aanval installation, I get to a menu where I enter the location of the aanvaldb and the credentials to access it, but upon submitting them I get a few errors and I can’t proceed. I can connect to MySQL on the command line and confirm it’s running and the credentials are correct. What’s going on?

Install Error

A: Aanval connects to MySQL with the default port of 3306. If these errors display, it is because the MySQL instance is started and accessible only by port 3307 (used in SSL connections).

There are two methods to remedy the error. The first is to locate and edit the script or plist that starts MySQL and update the line which would read something similar to <string>–port=3307</string> to read <string>–port=3306</string> and then restart MySQL.

The other method would be to return to the configuration menu on the browser and when entering the location of the Aanval database enter also the specific port. So in the example of a local installation, you’d enter 127.0.0.1:3307.

Aanval Support Q&A: Aanval Installation Issue: Missing Modules?

Q: I downloaded and untarred Aanval according to the guide provided (http://wiki.aanval.com/wiki/Aanval:V7_Installation_Guide) and installed all prerequisites, but after I point my browser to the Aanval location and accept the EULA, I get an error noting that MySQL is missing. I show that MySQL is installed and running. Can you help? I’m using CentOS 6 on a VM.

A: That step is an Environmental Test in which all necessary PHP modules and directory structures and permissions are searched and tested. Your results show that not MySQL but the PHP MySQL module is missing. It’s a very simple fix.

First, install that module:

yum install php-mysql

Second, restart Apache:

apachectl restart

Third, while on the browser, click the Retest option at the bottom of the page showing the Environmental Test results (you can also completely restart the web-based portion of the install by directing a new browser window to the Aanval location). The test will now confirm that module is installed and you can continue to the next step of pointing Aanval to the location of the aanval database so that Aanval can automatically build its structure and tables, and then log in.

Aanval 8: Coming Soon!

Aanval 8 Sneak Peak
Aanval 8 is almost here, with a brand new look, and loaded with new and improved features and performance!

Nearly a year in the making, Aanval 8 boasts dozens of new features and a complete re-write of nearly the entire code-base to make it our most stable and advanced version of Aanval yet.

Featuring: HTML5, IPv6 Support, Direct Unified2 Support, Threat Levels Displays, Heat Maps, Syslog Updates, New Automation System, and more.

Aanval v8

Check out other screenshots and details at https://www.aanval.com/aanval8

Aanval 8 will be publicly released in the coming weeks, and will be a free upgrade to all current Aanval SMB, SAS, and SAS Enterprise customers.

Aanval’s Event and Host Summaries

IDS engines like Snort and network devices can and generally do log thousands to millions of events per day, which can make it difficult to gather a view as to what has happened and what is happening. 

Aanval provides numerous up-to-date and live views of your data to help you make sense of it, increase your situational awareness, and quickly determine potential threats. One of those views are Summaries.

Event and Host Summaries

Users can quickly select the event name from the dashboard or any Live display to visually see a Timeline browser displaying how often a given event is being generated, along with every host associated as a source and destination.

Event Summary

From there users can then select a given host to get a similar summary that would include a Timeline browser that further details risk level of generated events, Geo IP details, and a listing of events where that host has been associated as a source and destination. Host summaries can also be selected from the dashboard or any Live view by simply selecting the desired host or IP from the main event details.

Aanval’s Advanced, Scheduled, and Emailed Reports

Advanced Reporting

Aanval provides both on-demand and scheduled reports. They are available to view in a number of formats, including PDF, HTML, and XML, and can be emailed in PDF and Text formats.

HtmlReport

Creating a Report

Users can generate a report from any search results. Users can also use the My Reports menu to create custom and scheduled reports and filter by sensor, risk level, and more.

Within the String / Text box, users can enter any of the keywords used by the Advanced Search tool to make their searches and reports extremely detailed, for example by returning all events from “lastweek:” Keywords can be combined as well and used alongside other factors already provided in drop-down boxes like Risk Level, and Source and Destination IP/Port.

CreateReport

Scheduled Reports

Users can create any number of scheduled reports and have them emailed to any number of addresses (comma separated).

Report Details

Aanval reports display exactly what the user searched or queried and when, and then proceeds to detail in an easy-to-read format and  with graphs all event values like Source and Destination IPs, Ports, sensors affected, where the events are stored, and more.

Learn More and Take Aanval for a Spin

* Aanval Reports

* Download Aanval