[Snort-users] How to log all alerts to pcap file and a selected set to syslog
cpw at ...440...
Fri Jul 12 15:13:26 EDT 2002
I've run out of gas. So, I'm assuming that it is something simple I missed.
What I want to do is post process most of the alerts (like barnyard I
presume, but I'm not there yet) and for a very small few use syslog so
I can hear about it immediately. My first cut (without the syslog part)
In my conf file:
output log_tcpdump: fullpath_to_file
However, when I run it the default is to create an alert file.
So, next I ran with the switch
snort ... -A none ...
All is good, I'm getting a libpcap file which I can process later.
Now, I want to "alert" but just for a few select rules. Well, -A none has
to go. So, what to do? ...
I create a "redalert" thusly:
output alert_syslog: LOG_LOCAL5 LOG_ALERT
I do a gang edit on all the rules files to replace ^alert^log.
I create an eleet redalert rule:
redalert udp any any -> 192.168.1.1 31337 (msg: "Click Me Doctor Memory"; content: "excuse me for knocking"; classtype: testing; sid:31337;rev:1;)
I remove "-A none".
and start up snort.
I ran attack.pl in the background, and while it was abusing my snort, I
did the following:
% echo "excuse me for knocking" | /usr/bin/nc -u 192.168.1.1 31337
Low and behold, packets were accumulating in the libpcap log file, I
got a page (cause I have something watching the syslog file), and the
"alert" file gratuitously created for me was empty! Beats writing it
I stopped snort and ran a post process snort ... -r tcpdump.log ...
with a modified config file (I replace all the log's and redalerts with
And, besides the page I got when I sent out the "excuse me" packet, I
have a nice little summary of what happened today.
15:31:24, 579 packets processed at 6.64 pps in 84 seconds, with 0 drops.
# Classification summary
8 access to a potentially vulnerable web application:2
1 Your test succeeded:4
# Alert message summary
1 [1:1772:3] WEB-IIS pbserver access
1 [1:31337:1] Click Me Doctor Memory
1 [1:1660:3] WEB-IIS trace.axd access
1 [1:1626:4] WEB-IIS /StoreCSVS/InstantOrder.asmx request
1 [1:1754:2] WEB-IIS as_web4.exe access
1 [1:1756:2] WEB-IIS NewsPro administration authentication attempt
1 [1:1753:2] WEB-IIS as_web.exe access
1 [1:1484:3] WEB-IIS /isapi/tstisapi.dll access
1 [1:1750:3] WEB-IIS users.xml access
# Alert destination address and port summary
It's great when things come together.
Have a nice weekend, see you next week.
More information about the Snort-users