Recently I replace my router OS with OpenWRT, and I've install snort(2.9) on it with :
opkg install snort
My One and Only rule in /etc/snort/rules/local.rules :
alert icmp any any -> [My Router Private IP like : 192.168.0.1] any (msg: "NMAP ping sweep Scan"; dsize:0;sid:10000004; rev: 1;)
The problem is when i run :
snort -A console -q -c /etc/snort/snort.conf -i br-lan --daq-dir /usr/lib/daq
On the command line, it is Okay and it detects some Nmap scan attacks and wrote the alerts in console :
04/12-08:19:50.152690 [**] [1:10000005:2] NMAP TCP Scan [**] [Priority: 0] {TCP} 192.168.0.10:46287 -> 192.168.0.1:22
and log file, But when I start the service by :
/etc/init.d/snort start
Nothing happens and no log file created when I use same Nmap command (nmap -sX -p22 192.168.0.1).
My Questions are :
Why the server is not running ?
There is no way detecting if every thing okay with service without Systemctl.
Why the log created when i run snort command is nonsense?
When I type for example cat /var/log/snort/snort.log.1523473976 I get :
�����Z�^8Mvv�n6(爈���Ehu�##A3��<���
in the console.
PS :
1 -cat /etc/init.d/snort :
#!/bin/sh /etc/rc.common
# Copyright (C) 2015 OpenWrt.org
START=90
STOP=10
USE_PROCD=1
PROG=/usr/bin/snort
validate_snort_section() {
uci_validate_section snort snort "${1}" \
'config_file:string' \
'interface:string'
}
start_service() {
local config_file interface
validate_snort_section snort || {
echo "validation failed"
return 1
}
procd_open_instance
procd_set_param command $PROG "-c" "$config_file" "-q" "--daq-dir" "/usr/lib/daq/" "-i" "$interface" "-s" "-N"
procd_set_param file $CONFIGFILE
procd_set_param respawn
procd_close_instance
}
stop_service()
{
service_stop ${PROG}
}
service_triggers()
{
procd_add_reload_trigger "snort"
procd_add_validation validate_snort_section
}
2- I actually followed This link to configure. but I uncomment and set config logdir: to /var/log/snort/ .
(Any help would be greatly appreciated)
It's set to localhost by default - lo
Check the output of uci show snort.snort.interface
You can change it with uci set snort.snort.interface=br-lan
Restart snort to confirm it has actually taken the new parameters - /etc/init.d/snort restart
You can view the whole command line in top/htop
If all is good, save the changes to UCI: uci commit
And your logs are binary with that config, not text, I have mine log to syslog and send them to a remote rsyslog server, in snort.conf - output alert_syslog: LOG_AUTH LOG_ALERT
Related
I have an up and running service ( is an emulated machine or something similar ) on my local Ubuntu machine and i'm able to access it through a serial port and following socat command:
> sudo socat file:`tty`,raw,escape=0x1d,echo=0 unix-connect:/tmp/sample-serial
root#sample:~#
I exit from the service and with the following socat command i can execute the bash file ( is in local machine ) to this service.
> sudo socat file:my_bash_script.sh unix-connect:/tmp/sample-serial
If i enter again with the first socat command in the service i can see my_bash_script.sh output going on in the service terminal
The question is: how i can see the output of this my_bash_script.sh from local machine?
Consider that in the service, socat command not exist then i can't open a TCP connections or similar.
Kind Regards
in the second command, the file: address appends the command output to the script. Try something like
sudo socat file:my_bash_script.sh!!- unix-connect:/tmp/sample-serial
to get command output on your terminal.
Please note that '!' may substitute part of the command line with some terminal history, type
set +H
to turn this behaviour off.
I am using NodeJs in Raspberrypi on startup (rc.local). i have some issue my ftp client will not able to download data, if the NodeJs run on startup.
but if i run through command line at my own, it will work great and can able to download files through FTP client.
is there any way to see console logs while using nodejs on startup.
My project is already very delayed, please help.
Thanks in advance.
rc.local
`#!/bin/sh -e
#
# rc.local
#
# This script is executed at the end of each multiuser runlevel.
# Make sure that the script will "exit 0" on success or any other
# value on error.
#
# In order to enable or disable this script just change the execution
# bits.
#
# By default this script does nothing.
#sudo neo4j start &
#sudo su pi -c 'sudo neo4j start < /dev/null &'
#sudo su pi -c 'sudo /etc/init.d/mysql start < /dev/null &'
sudo su pi -c 'node /home/pi/Desktop/RaspberyryPiLearning/bin/www <
/home/pi/Desktop/error.log &'
# Print the IP address
_IP=$(hostname -I) || true
if [ "$_IP" ]; then
printf "My IP address is %s\n" "$_IP"
fi
exit 0
You should specify the whole path of node binary file and of your node app, for example : sudo su pi -c '/usr/bin/node /home/pi/node_app/index.js.
You can type which node to get the path of node binary
But, a better option would be to use PM2. It will handle the startup loading of your node apps, handle/display their logs, restart them in case of error. You can monitor them too, stop, restart...
This is my first time working with SNMP, but after reading the SNMP pages I'm still having trouble getting a simple shell script to run when receiving a trap.
My /etc/snmp/snmptrapd.conf file looks like this:
# Example configuration file for snmptrapd
#
# No traps are handled by default, you must edit this file!
#
disableAuthorization yes
authCommunity log,execute,net public
# the generic traps
traphandle default /usr/local/bin/snmptrapd.sh
The snmptrapd.sh script just says "hello".
#!/bin/sh
echo "hello"
The script is executable and runs when executed independently:
> /usr/local/bin/snmptrapd.sh
hello
The snmptrapd is running as a background process:
> ps -ef | grep snmp
root 29477 1 0 14:49 ? 00:00:00 /usr/sbin/snmptrapd -Lsd -p /var/run/snmptrapd.pid -Cc /etc/snmp/snmptrapd.conf
And yet when I send a trap locally using snmptrap nothing happens:
> snmptrap -v 2c -c public localhost "" NET-SNMP-EXAMPLES-MIB::netSnmpExampleHeartbeatNotification netSnmpExampleHeartbeatRate i 123456
>
Now it seems that the trap does get logged, because the system log file (/var/log/messages) has the following entry:
Aug 8 15:46:10 <server_name> snmptrapd[29477]: 2017-08-08 15:46:10 localhost
[UDP: [127.0.0.1]:44928->[127.0.0.1]]:#012DISMAN-EVENT-MIB::sysUpTimeInstance =
Timeticks: (1338382434) 154 days, 21:43:44.34#011SNMPv2-MIB::snmpTrapOID.0 =
OID: NET-SNMP-EXAMPLES-MIB::netSnmpExampleHeartbeatNotification#011NET-SNMP-EXAMPLES-MIB::netSnmpExampleHeartbeatRate
= INTEGER: 123456
As far as I can see everything is set up correctly. If so, why is the trap handle not working and how can one check why the trap doesn't trigger the script?
Thanks in advance.
EDIT: When I added the -Ci option to the snmptrapd command line options I got the following error:
No log handling enabled - turning on stderr logging
: Unknown Object Identifier (Sub-id not found: (top) -> )
OK, so after looking around some more I found the answer.
The reason that we are not seeing the output is because snmptrapd is being run as a daemon and doesn't send its standard output to the console. One can replace this with
echo "hello" > $HOME/output.txt
and the word 'hello' appears in the output.txt file.
See also http://www.linuxquestions.org/questions/linux-newbie-8/net-snmp-trap-handling-4175420577/
and
https://superuser.com/questions/823435/where-to-log-stdout-and-stderr-of-a-daemon
I have developed this script program : (program name is x1)
#!/bin/bash
/usr/bin/top -n 1 >/tmp/top1.log
echo ok
Next is the command that I run it on terminal and get correct reply:
./x1
meaning that when external command of top -n 1>tmp/top1.log is written in the file top1.log and then the message ok printed in output!
But, if I config the snmpd.cof and the program is run by snmp service:
snmpwalk -v2c -c public 127.0.0.0 OID
The external command of top -n 1>/tmp/top1.log will not be placed in top1.log and the file top1.log will not be generated, only the message ok is printed in the output.
In fact, top -n 1>/tmp/top1.log command cannot run by SNMP service.
my snmpd.conf :
syslocation Server Room
syscontact Sysadmin (root#localhost)
rwcommunity public 192.168.7.165
rwcommunity public 127.0.0.1
sh 1.3.6.1.4.1.999.4.1.4 public /tmp/x1
i used ( sh and exec ) to run !
Getting a "No output returned from plugin" error message from a Nagios/NRPE script
1) Running Nagios v3.2.3 and NRPE v2.12
2) The script:
OK_STATE=0
UNAME=/bin/uname -r
echo "OK: Kernel Version=$UNAME"
exit $OK_STATE
2) Command line results on the Nagios Server using NRPE
Same OK results for both the root and nagios users:
[nagios#cmonmm03 libexec]$ ./check_nrpe -H dappsi01b.dev.screenscape.local -c check_kernel
OK: Kernel Version=2.6.18-194.11.3.el5
When I run the check_kernel.sh script on the machine's local command line it works there to.
Help, any thoughts or known solution regarding this would be appreciated?
Thank you
Your command does not take any arguments, but it is likely the command definition for check_nrpe does define an argument parameter, for example:
define command{
command_name check_nrpe
command_line /usr/lib64/nagios/plugins/check_nrpe -H $HOSTADDRESS$ -c $ARG1$ -a $ARG2$
}
Therefore, try placing a dummy argument in the service definition:
define service{
use normal-service
host_name hostname
service_description Description
check_command check_nrpe!check_foo!placeholder
}
Did you add the nagios host to the /etc/xinetd.nrpe.cfg file? Specifically, the only_from line typically includes the localhost (on the remote system). Make sure to add the IPs of your nagios host there as well:
# default: on
# description: NRPE (Nagios Remote Plugin Executor)
service nrpe
{
flags = REUSE
socket_type = stream
port = 5666
wait = no
user = nagios
group = nagios
server = /usr/local/nagios/bin/nrpe
server_args = -c /usr/local/nagios/etc/nrpe.cfg --inetd
log_on_failure += USERID
disable = no
only_from = 127.0.0.1 192.168.1.61
}