Tips and Tricks: Troubleshooting Snort

Whether you’re tuning an existing Snort instance or just finished a new installation, there’s a common question that may soon follow: “Why I aren’t I seeing any events?

If this is the case with your Snort instance, there are a few basics to check.

Starting Snort
In many cases Snort is started with a script as opposed to a manual command that includes “-D” to start it in daemon mode, but such scripts don’t help in the troubleshooting process. 

1. Check if Snort is running or if the script has been executed with a simple grep command:

ps aux | grep snort

2. If Snort is running, take note of the command displayed that was either executed manually or by a script, and then stop or kill the process.

3. Enter that long-hand command to start Snort (snort -c /etc/snort/snort.conf -i eth1, for example) in the foreground or continuous mode, making sure to omit the -D so the process is not started in daemon mode.

If there are any issues with Snort, they will be specifically noted and generally Snort will fail to start because of a fatal error. 

If Snort successfully starts, you’ll see its final line stating “Commencing packet processing (pid=xxxxxxx).” If this is the case, kill the process and move on to Log Files. If you get an error, resolve it and start Snort again in the same manner until there are no errors. Errors generally revolve around signatures (bad or incompatible signatures that kill Snort), missing file or rules directories, or something related to the snort.conf. Once your error is resolved and Snort starts successfully, kill the process and move on to Log Files.

Log Files
Every time Snort starts it will or should create a new log file. These files are generally named merged.log or snort.alert, and are located in /var/log/snort, but of course precise names and locations will differ depending on your setup.

You can confirm Snort successfully created its log file when you just started it in the last step, and also check for previous log files and their sizes with a simple list command:

ls -la /var/log/snort

You should see at least one log file, and more than likely its size (or at least the most recent log file) will be zero, and that’s fine since Snort only ran for a few moments. But checking this directory with that command is very helpful in first ensuring log files are being created, and secondly determining if those log files are growing in size. 

If log files are being created and not growing in size after Snort has been running in daemon mode for some time, there could be issues with the configuration file, the signatures, or the traffic feed.

Configuration File
While Snort can be a complex tool, we aim to keep things simple. With a new installation of Snort, we make the following changes to its configuration file:

Provide the paths to the rules:

var RULE_PATH /etc/snort/rules

var SO_RULE_PATH /etc/snort/so_rules

var PREPROC_RULE_PATH /etc/snort/preproc_rules

var WHITE_LIST_PATH /etc/snort/rules

var BLACK_LIST_PATH /etc/snort/rules

2. Uncomment the “output unified2” line and remove “nostamp”:

output unified2: filename merged.log, limit 128, mpls_event_types, vlan_event_types

3. In “Step #7” of the configuration file you’ll find a listing of rule categories that will be enabled when Snort starts:

###################################################
# Step #7: Customize your rule set
# For more information, see Snort Manual, Writing Snort Rules
#
# NOTE: All categories are enabled in this conf file
###################################################

# site specific rules

include $RULE_PATH/app-detect.rules
include $RULE_PATH/local.rules
include $RULE_PATH/browser-chrome.rules
include $RULE_PATH/browser-other.rules

These categories may be missing or commented out, in which case when Snort starts it will run with few or no signatures, resulting in few to no events and small to zero log file sizes. Make and save any necessary changes to the configuration file, and move on to Signatures.

Signatures
Being a signature-based IDS tool, Snort will require enabled and current signatures to generate events. While too few signatures may result in few to no events, too many signatures enabled can result in not only too many events but an overloaded Snort sensor, an overcrowded Aanval dashboard—consisting of largely informational/nuisance events—and perhaps overworked database and/or hardware running the sensor.

Investigate the various rule categories in your /rules directory and make sure standard and especially critical signatures are enabled. For testing purposes, you can enable the signatures found in the protocol-icmp.rules directory, start Snort in daemon mode, and then ping the Snort box from an alternate IP. Keep in mind that these ICMP signatures aren’t generally kept enabled in active or production environments, and once tests are concluded it’s recommended to disable these signatures.

Traffic Feed
It’s lastly critical that the interface Snort is monitoring is actually generating real traffic. Snort commonly monitors the span/mirror port of a switch. Confirming the interface to be monitored from the long-hand command to start Snort (snort -c /etc/snort/snort.conf -i eth1, for example) and that the interface is active (ifconfig), you can use tcpdump to scan the interface for traffic with a basic command:

tcpdump -nn -i eth1 (or the interface to be scanned)

If you aren’t seeing anything or simply ARP or basic traffic, you may need to check the feed and interface. But once confirmed that there is more happening than basics and ARP, the interface Snort is to monitor should be solid.

Having completed this list of basic steps and checks, and making any necessary changes, you should be good to start your Snort instance(s) in daemon mode and begin to see log files created and growing, and events flowing into Aanval.

Aanval Support Q&A: Aanval Installation Issue: Can’t Connect to MySQL?

Q: During the web-based portion of the Aanval installation, I get to a menu where I enter the location of the aanvaldb and the credentials to access it, but upon submitting them I get a few errors and I can’t proceed. I can connect to MySQL on the command line and confirm it’s running and the credentials are correct. What’s going on?

Install Error

A: Aanval connects to MySQL with the default port of 3306. If these errors display, it is because the MySQL instance is started and accessible only by port 3307 (used in SSL connections).

There are two methods to remedy the error. The first is to locate and edit the script or plist that starts MySQL and update the line which would read something similar to <string>–port=3307</string> to read <string>–port=3306</string> and then restart MySQL.

The other method would be to return to the configuration menu on the browser and when entering the location of the Aanval database enter also the specific port. So in the example of a local installation, you’d enter 127.0.0.1:3307.

Aanval Support Q&A: Aanval Installation Issue: Missing Modules?

Q: I downloaded and untarred Aanval according to the guide provided (http://wiki.aanval.com/wiki/Aanval:V7_Installation_Guide) and installed all prerequisites, but after I point my browser to the Aanval location and accept the EULA, I get an error noting that MySQL is missing. I show that MySQL is installed and running. Can you help? I’m using CentOS 6 on a VM.

A: That step is an Environmental Test in which all necessary PHP modules and directory structures and permissions are searched and tested. Your results show that not MySQL but the PHP MySQL module is missing. It’s a very simple fix.

First, install that module:

yum install php-mysql

Second, restart Apache:

apachectl restart

Third, while on the browser, click the Retest option at the bottom of the page showing the Environmental Test results (you can also completely restart the web-based portion of the install by directing a new browser window to the Aanval location). The test will now confirm that module is installed and you can continue to the next step of pointing Aanval to the location of the aanval database so that Aanval can automatically build its structure and tables, and then log in.

Aanval’s Event and Host Summaries

IDS engines like Snort and network devices can and generally do log thousands to millions of events per day, which can make it difficult to gather a view as to what has happened and what is happening. 

Aanval provides numerous up-to-date and live views of your data to help you make sense of it, increase your situational awareness, and quickly determine potential threats. One of those views are Summaries.

Event and Host Summaries

Users can quickly select the event name from the dashboard or any Live display to visually see a Timeline browser displaying how often a given event is being generated, along with every host associated as a source and destination.

Event Summary

From there users can then select a given host to get a similar summary that would include a Timeline browser that further details risk level of generated events, Geo IP details, and a listing of events where that host has been associated as a source and destination. Host summaries can also be selected from the dashboard or any Live view by simply selecting the desired host or IP from the main event details.

Use Nmap to Increase Host Visibility Automatically with Aanval SAS

The biggest question you need to answer as a network security analyst is “What’s happening on my network?” Aanval helps deliver.

While knowing the specific events being generated by Snort are important, as well as keeping that signature recipe finely tuned and updated, we believe it’s more important to know who’s behind those events (just as it’s more important to know and capture the bank robber instead of spending too much time at the scene of the crime).

Aanval has amazing features that will detail the activity and behavior of not only those events but the hosts that either cause those events or act as the victim. With a single click, users can get a map of their host that includes a visually striking Timeline Browser readout of the host’s frequency in generating events and also their threat levels, so you immediately know how harmful a host may be. In addition to that, users get a full readout of what signatures that host has triggered, as both a host and possibly a victim. Quickly search those results for more details and create and email reports based on those results. All of those features are built-in and automatically work in the background and are available as you feed Aanval network alerts.

To get even more from your Aanval console, use Nmap to routinely scan the network or multiple networks for currently and newly connected hosts. All on an automated basis, Aanval will find those hosts and perform a scan to obtain their OS fingerprint or vendor, IP, and up/down status. But Aanval doesn’t stop there; it then imports those records to its Device Management readout, where users can then add more details about a given host (services, additional interfaces, etc.) and find its current state. Once those records are received, more Aanval features become automatically unlocked and fed, like Situational Awareness and Event Validation. 

With Situational Awareness, users can get an instant bird’s eye view of the connected hosts and their activity. Quickly determine harmful attackers and weak links. Views can be changed from a current view or even those in the past.

Event Validation allows users to quickly determine if generated events come from known hosts and if they may possibly be false positives, one of the top reasons for failed IDS deployments, as they can quickly choke a system and view.

Check out the links below to get these features up and running on your Aanval console, and increase your host visibility and situational awareness.

Nmap: Getting Started

Network Host Scanning

Situational Awareness

Event Validation

Tactical FLEX, Inc. Announces July Aanval SAS Webinar Schedule

SEATTLE, July 5, 2013 –Tactical FLEX, Inc., a global provider of information security, vulnerability, and risk management software solutions, today announced the July Aanval SAS (Situational Awareness System) webinar schedule. The webinar series will cover live demonstrations, product tours, program overviews, and also feature industry expert Byron Rashed, Global Marketing and Product Management Director of Emerging Threats. 

Visit our Webinar page to view upcoming educational webinars or past webcasts and our Demo page to view live demo schedules and product tours.

July 2013 Event Schedule

Educational Webinar: Selecting the Best IDS/IPS Solution and Most Comprehensive Ruleset for Enhanced Visibility and Threat Protection. Choosing and Utilizing Threat Intelligence to Minimize the Business Risk by Emerging Threats and Product Tour of Aanval SAS

Date/Time: Wednesday, July 31 at 2:00pm EDT » Click for Registration
Featured Guest: Byron Rashed, Global Marketing and Product Management Director of Emerging Threats

Join Tactical FLEX, Inc. in this complimentary educational webinar where Byron Rashed, Global Marketing and Product Management Director of Emerging Threats, will share valuable research data concerning trends in malware attacks and techniques seen in enterprise networks today. The business risks associated with malware attacks and malware protection will be explored. In this joint presentation, Tactical FLEX, Inc. will also introduce Aanval SAS (Situational Awareness System), the industry’s leading Suricata, Snort, and Syslog Intrusion Detection, Correlation, and Threat Management console designed to deliver end-to-end network visibility. A product tour of Aanval’s threat management features, systems, and technologies will be provided. Learn why Aanval is the solution for IT security professionals demanding a proven security and network operations tool with a strong focus on intrusion detection, coupled with robust log management and SIEM capabilities.

Reseller Webinar: Join Tactical FLEX, Inc. and Grow Your Security Practice: Aanval Reseller Program Overview

Date/Time: Thursday, July 25 at 2:00pm EDT » Click for Registration
Presenter: Kenneth Bitz, Strategic Alliance Director at Tactical FLEX, Inc.

Join us for a live, interactive 20-minute webinar where Kenneth Bitz, Strategic Alliance Director at Tactical FLEX, Inc., will provide an introduction to Tactical FLEX, Inc.‘s Reseller Program. Becoming an authorized Reseller is free and there are numerous business benefits and advantages to capitalizing in Aanval SAS (Situational Awareness System). Aanval the industry’s leading Suricata, Snort, and Syslog Intrusion Detection, Correlation, and Threat Management console designed to deliver end-to-end network visibility. Currently there are over 6,000 organizations worldwide in various industries that rely upon Aanval as part of their security infrastructure. Aanval is the solution for IT security professionals demanding a proven security and network operations tool with a strong focus on intrusion detection, coupled with robust log management and SIEM capabilities. Tactical FLEX, Inc. enables small- and mid-market enterprises to quickly deploy, easily implement, and operate a cost-effective intrusion detection solutions at a fraction of the cost of other platforms. 

Live Demo Series: Aanval SAS Event Log Management Technology and Threat Management Features Simplified

Date/Time: Wednesday, July 10 at 1:00pm EDT » Click for Registration

Date/Time: Wednesday, July 17 at 1:00pm EDT » Click for Registration
Date/Time: Visit our Demo page to view entire global schedule and time-zones

Aanval SAS (Situational Awareness System) is the solution for IT security professionals demanding a proven security and network operations tool with a strong focus on intrusion detection, coupled with robust log management and SIEM capabilities. Join us for a live, interactive 30-minute demo of Aanval’s event log management technology and popular threat management features. Learn how you can obtain full visibility of your IT environment with Aanval SAS.

Event Log Management Technology: See why Aanval’s real-time log management solution delivers an unmatched competitive edge over other vendor solutions. Supporting Suricata and Snort (the world’s most widely used intrusion detection engine), as well as any device capable of outputting log information, Aanval imports, normalizes, and correlates event information for powerful, fast, and scalable analyses. More importantly, Aanval’s advanced search engine allows users to access, search, monitor, correlate, and report colossal amounts of real-time and historic event log data. Searching for raw and historical data for forensic analysis, as well as tracking the attacks and locations of IP addresses area straightforward and has never been quicker.

Popular Threat Management Features: Aanval helps IT departments focus and get back to protecting their network by automating security and building systems that allow security professionals to make determinations quickly while being well-informed. Explore the advanced threat management features of Aanval SAS including Situational Awareness, False Positive Protection, Event Correlation, and Live GeoLocation. Discover why Aanval is the industry’s most comprehensive Suricata, Snort, and Syslog Intrusion Detection, Correlation, and Threat Management console on the market. 

Live Tutorial: How to Use and Optimize Your Aanval Console for Real-Time Threat Management

Date/Time: Wednesday, July 24 at 1:00pm EDT » Click for Registration

This complimentary live demo is designed for prospective Aanval SAS users and investigators. During our first “Getting Started with Aanval SAS” live demo series, our Support Department will show you how to use and optimize your Aanval console for real-time threat management. Aanval SAS is simple to use and loaded with robust and powerful security features, and we want you to make the most of them to ensure your networks are secured. If you have yet to experience Aanval, download Aanval SAS in your own environment today for free and join thousands of IT security professionals and security researchers who are fighting to achieve greater situational awareness and network visibility using this remarkable tool.

About Emerging Threats

Emerging Threats is a world-leading provider of open source and commercial threat and malware intelligence. Founded in 2003 as a cyber security research community, Emerging Threats has become the de facto standard in network-based malware threat detection. The company’s ETOpen Ruleset, ETPro™ Ruleset, and IQRisk™ suite of threat intelligence are platform agnostic for easy integration with Suricata, SNORT®, and other network intrusion protection and detection systems. With ETPro Ruleset, organizations can achieve the highest standards of malicious threat detection with world-class support and research for extended vulnerability coverage. ETPro Ruleset is ideal for enterprises, government agencies, financial institutions, SMBs, higher education, and service providers. Learn more about Emerging Threats by visiting: http://www.emergingthreats.net

About Tactical FLEX, Inc.

Tactical FLEX, Inc. is a privately owned software development firm based in Seattle, specializing in information security research, engineering, technology design, and production. With the technological development of Aanval®, Tactical FLEX, Inc. has become a global provider of information security vulnerability and risk management software solutions that protect businesses of all sizes. Aanval® currently has over 6,000 customers worldwide including government security, defense organizations, technology corporations, financial services organizations, energy companies, educational institutions, healthcare organizations, biotechnology manufacturers, pharmaceutical companies, law firms, utility providers, and many others. Learn more about Aanval by visiting http://www.aanval.com. Aanval may be downloaded for testing and evaluation at http://www.aanval.com/download. Follow Aanval on Twitter @Aanval.

Tactical FLEX, Inc. to Host First Webinar in Bi-Monthly Aanval SAS (Situational Awareness System) Webinar Series

Tactical FLEX, Inc., a global provider of information security, vulnerability, and risk management software solutions, today announced that it will host the first bi-monthly Aanval SAS (Situational Awareness System) webinar series. The webinar series will cover live product demonstrations, product tours, and also feature security industry experts that will discuss topics of great interest to security professionals. Details of upcoming webinars and live demonstrations will be announced shortly.

This month’s webinar scheduled for May 22, 2013 at 12pm EDT is a 15-minute preview that will showcase five powerful Aanval SAS features designed to help organizations and their IT departments expand their security intelligence and network visibility. The five IDS features and offensive tools highlighted are:

» Situational Awareness™
» Offensive Reconnaissance™
» Rogue Host Detection
» False Positive Protection
» Real-time Geolocation Displays

For information and registration, please visit http://www.aanval.com/webinar and http://www.aanval.com/demo.

About Tactical FLEX, Inc.
For nearly a decade, Tactical FLEX, Inc. has taken great pride in providing best-of-breed security solutions to every type of organization around the world. Our wide spectrum of customers demonstrates our sincere commitment to an industry that remains at the forefront of the digital evolution of the world. Information security is our business, and our customers are our greatest asset. Tactical FLEX, Inc. is a trusted security vendor protecting more than 6,000 organizations within every industry in more than 100 countries. Our product Aanval® is the industry’s most comprehensive Suricata, Snort, and Syslog Intrusion Detection, Correlation, and Threat Management console on the market. Aanval is designed specifically to scale from small single-sensor installations to global enterprise deployments and can correlate event data and logs from hundreds of vendor products and solutions. Learn more about Aanval SAS (Situational Awareness System) by visiting http://www.aanval.com.

Aanval is also available for download as a free Community edition for testing and evaluation at http://www.aanval.com/download.

Enhancements to Aanval’s Tagging System

With the release of Aanval v7, Tagging was introduced to allow users to detail and personalize event data. Now, with Aanval SAS (Situational Awareness System), Tagging has taken another large step. 

Tag Multiple Events
While users can still add multiple tags to an event while viewing its details, they can now quickly search and filter events and add multiple tags to multiple events on the new Tag Events display. 

Multiple Views
As an admin, want to know who’s tagging what and how often? Not a problem. You can visit Tag Management and click each available tag to find how often the tag has been used and in which datastores. You can also visit Frequent Tags under the Charts & Graphs option to view what tags have been used most frequently or infrequently. Additional charts help you visually understand tag usage, like pie and bars graphs.

Download Aanval and Use the Tagging System
If you haven’t downloaded Aanval yet, go to our download page to create a free account and download the package. Then head to our wiki for installation guides and our Getting Started guide for the all-new Tagging system!

About Tactical FLEX, Inc.
For nearly a decade, Tactical FLEX, Inc. has taken great pride in providing best-of-breed security solutions to every type of organization around the world. Our wide spectrum of customers demonstrates our sincere commitment to an industry that remains at the forefront of the digital evolution of the world. Information security is our business, and our customers are our greatest asset. Tactical FLEX, Inc. is a trusted security vendor protecting more than 6,000 organizations within every industry in more than 100 countries. Our product Aanval® is the industry’s most comprehensive Snort and Syslog Intrusion Detection, Correlation, and Threat Management console on the market. Learn more about Aanval SAS (Situational Awareness System) by visiting http://www.aanval.com.

“I can’t log in to Aanval”

“I can’t log in to the console. I entered the correct username and password and even received the ‘Authentication success’ message, yet I’m directed back to the login page.”

Prognosis and Remedy: Login issues like this are database/MySQL related. Generally when this occurs MySQL is not running. If MySQL is running, then the database tables are missing or corrupt, or more often the disk is full.

For more Aanval Tips, Tricks, and Troubleshooting assistance, visit our wiki.

Did you know? Aanval is the longest running and most refined Snort front-end, and has been in continual development since 2003. To take Aanval for a Test Drive, visit www.aanval.com/download.

Nmap 6.25 is available for download and plays wonderfully with Aanval SAS

The good developers at Nmap.org recently released Nmap 6.25. It sports performance improvements, better OS/version detection, and more. I downloaded and installed it, and then performed a scan and compared the new results to an old scan on the same IP. I was very pleased with the results: quick and much more accurate, particularly in regards to the mentioned OS detection. 

My first scan with 6.01 returned that the device (a Mac mini) was an iOS device running 5.0.1. The new scan with 6.25, however, accurately revealed the following: Apple Mac OS X 10.8 – 10.8.1 (Mountain Lion). Awesome!

If you’re currently using Nmap with Aanval, get the upgrade from nmap.org. If you’re using Nmap without Aanval or vise versa, you’re missing a fantastic partnership, one that can heavily enhance your situational awareness. Aanval can manually and routinely and automatically perform these searches on your networks, to find new Rogue Hosts and return Offensive Reconnaissance of those who might be seeking your harm or downfall.

Click here for more information

Take Aanval for a test drive yourself and then browse our helpful guide to get it configured with Nmap