So I was following this guide on how to install Snort, Barnyard 2 and the like.
I've set up Snort so it would run automatically, by editing the rc.local file:
ifconfig eth1 up
/usr/local/snort/bin/snort -D -u snort -g snort \
-c /usr/local/snort/etc/snort.conf -i eth1
/usr/local/bin/barnyard2 -c /usr/local/snort/etc/barnyard2.conf \
-d /var/log/snort \
-f snort.u2 \
-w /var/log/snort/barnyard2.waldo \
-D
And I then restarted the computer. Snort was able to run and detect the attack, but the log files (including barnyard2.waldo) remained blank, even if a new log entry was created for each attack.
I'm not sure what went wrong here, since it's supposed to log any attacks and store it in the log directory, right?
Then, I tried changing the parameter to:
/usr/local/snort/bin/snort -D -b -u snort -g snort \
-c /usr/local/snort/etc/snort.conf -i eth1
And when I checked the log file, there are two log files, one in u2 and another in tcpdump format, but they're both blank and is approximately 0 bytes.
So I thought I'd run it from the console to see if it would work from there, using this command:
/usr/local/snort/bin/snort -A full -u snort -g snort \
-c /usr/local/snort/etc/snort.conf -i eth1
and I then checked the log file to see if it would log the attack, and it still doesn't.
Please check the permissions of the logfiles and the logdirectory.
possible snort is not able to write into that file/directory
Seems like you have
nostamp
specified in your snort.config. Find the lineoutput unified2: filename snort.log, limit 128
and make sure it doesn't look like:output unified2: filename snort.log, limit 128, nostamp