[Snort-users] Help

Ninad Purohit ninadpurohit at ...11827...
Wed Jun 23 23:50:33 EDT 2010


On 6/24/10, snort-users-request at lists.sourceforge.net
<snort-users-request at lists.sourceforge.net> wrote:
> Send Snort-users mailing list submissions to
> 	snort-users at lists.sourceforge.net
>
> To subscribe or unsubscribe via the World Wide Web, visit
> 	https://lists.sourceforge.net/lists/listinfo/snort-users
> or, via email, send a message with subject or body 'help' to
> 	snort-users-request at lists.sourceforge.net
>
> You can reach the person managing the list at
> 	snort-users-owner at lists.sourceforge.net
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Snort-users digest..."
>
>
> Today's Topics:
>
>    1. Re: Useful logging of performance statistics (Crook, Parker)
>    2. Re: Useful logging of performance statistics (Jason Wallace)
>    3. Re: Useful logging of performance statistics (Crook, Parker)
>    4. Having problem with Barnyard (Nick Moore)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Tue, 22 Jun 2010 17:05:38 -0400
> From: "Crook, Parker" <Parker_Crook at ...14786...>
> Subject: Re: [Snort-users] Useful logging of performance statistics
> To: 'Jason Wallace' <jason.r.wallace at ...11827...>
> Cc: "snort-users at lists.sourceforge.net"
> 	<snort-users at lists.sourceforge.net>
> Message-ID:
> 	<67C1678059C61F408194E53907AFB5CC0A4160DC2F at ...14787...>
> 	
> Content-Type: text/plain; charset="iso-8859-1"
>
> Wally,
>
> Here's my sources:
>
> source s_all {
>         # message generated by Syslog-NG
>         internal();
>         # standard Linux log source (this is the default place for the
> syslog()
>         # function to send logs to)
>         unix-stream("/dev/log");
>         # messages from the kernel
>         file("/proc/kmsg" log_prefix("kernel: "));
>         # use the following line if you want to receive remote UDP logging
> messages
>         # (this is equivalent to the "-r" syslogd flag)
>         # udp();
> };
>
> -Parker
>
> -----Original Message-----
> From: Jason Wallace [mailto:jason.r.wallace at ...11827...]
> Sent: Tuesday, June 22, 2010 4:53 PM
> To: Crook, Parker
> Cc: snort-users at lists.sourceforge.net
> Subject: Re: [Snort-users] Useful logging of performance statistics
>
> Out of curiosity what do you have for sources? Is s_all just snort logs?
>
> Wally
>
> On Tue, Jun 22, 2010 at 3:55 PM, Crook, Parker <Parker_Crook at ...14786...>
> wrote:
>> Good afternoon all,
>>
>>
>>
>> I recently switched over to syslog-ng in my lab environment after living
>> with the status-quo for way too long (On Debian, Snort logs to
>> /var/log/syslog).  After being lazy and scrolling the few hundred/thousand
>> lines to get to the rules and preprocessor stats in my log files, I wanted
>> a
>> better way.  Now that I am using syslog-ng, I have:
>>
>> #DESTINATION
>>
>> destination snort_info { file("/var/log/snort_info"); };
>>
>> destination snort_warn { file("/var/log/snort_warn"); };
>>
>> destination snort_notice { file("/var/log/snort_notice"); };
>>
>> destination snort_crit { file("/var/log/snort_crit"); };
>>
>> destination snort_err { file("/var/log/snort_err"); };
>>
>> destination snort_emerg { file("/var/log/snort_emerg"); };
>>
>>
>>
>> #FILTER
>>
>> filter f_snort_info { level(info); };
>>
>> filter f_snort_notice { level(notice); };
>>
>> filter f_snort_warn { level(warn); };
>>
>> filter f_snort_crit { level(crit); };
>>
>> filter f_snort_err { level(err); };
>>
>> filter f_snort_emerg { level(emerg); };
>>
>>
>>
>> #LOG
>>
>> log { source(s_all); filter(f_snort_info); destination(snort_info); };
>>
>> log { source(s_all); filter(f_snort_notice); destination(snort_notice); };
>>
>> log { source(s_all); filter(f_snort_warn); destination(snort_warn); };
>>
>> log { source(s_all); filter(f_snort_crit); destination(snort_crit); };
>>
>> log { source(s_all); filter(f_snort_err); destination(snort_err); };
>>
>> log { source(s_all); filter(f_snort_emerg); destination(snort_emerg); };
>>
>>
>>
>> And was kind of hoping for a nice breakup of logging; alas:
>>
>>   4 drwxr-xr-x 2 snort       snort   4096 2010-06-22 15:04 snort
>>
>>  12 -rw-r----- 1 root        adm     8465 2010-06-22 15:04 snort_err
>>
>> 452 -rw-r----- 1 root        adm   455815 2010-06-22 15:17 snort_info
>>
>> 588 -rw-r----- 1 root        adm   597570 2010-06-22 15:04 snort_notice
>>
>> 24 -rw-r----- 1 root        adm    22932 2010-06-22 15:04 snort_warn
>>
>>
>>
>> So I found the Preprocessor Profile Statistics & Rule Profile Statistics
>> in
>> snort_notice, but I still have to rummage through a bunch of cruft just to
>> get what I am looking for.  So my question is:  Is there a better way?  I
>> want to log my rule profile & preprocessor profile statistics to a log
>> unto
>> themselves for easy(ier) historical comparison.
>>
>>
>>
>> Thanks,
>>
>> Parker
>>
>> ------------------------------------------------------------------------------
>> ThinkGeek and WIRED's GeekDad team up for the Ultimate
>> GeekDad Father's Day Giveaway. ONE MASSIVE PRIZE to the
>> lucky parental unit.  See the prize list and enter to win:
>> http://p.sf.net/sfu/thinkgeek-promo
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>
>
>
>
> ------------------------------
>
> Message: 2
> Date: Tue, 22 Jun 2010 19:00:52 -0400
> From: Jason Wallace <jason.r.wallace at ...11827...>
> Subject: Re: [Snort-users] Useful logging of performance statistics
> To: "Crook, Parker" <Parker_Crook at ...14786...>
> Cc: "snort-users at lists.sourceforge.net"
> 	<snort-users at lists.sourceforge.net>
> Message-ID:
> 	<AANLkTim4Ch2XEjVxWjgjzIDO5-0ivJlrSX_RqGgJ05ti at ...11828...>
> Content-Type: text/plain; charset=ISO-8859-1
>
> If the goal is to only have snort logs in those files then I do not
> think what you have will work. That would result in log files with all
> info logs, including system logs, in snort_info, all warn logs in
> snort_warn...etc. You need to add something to to the filters to tell
> it them you want those levels but only for snort related logs. I'm not
> in front of my box right now but I think (from memory) you might be
> looking for the "match" statement...or "program" might work.
>
> Wally
>
> On Tue, Jun 22, 2010 at 5:05 PM, Crook, Parker <Parker_Crook at ...14786...>
> wrote:
>> Wally,
>>
>> Here's my sources:
>>
>> source s_all {
>> ? ? ? ?# message generated by Syslog-NG
>> ? ? ? ?internal();
>> ? ? ? ?# standard Linux log source (this is the default place for the
>> syslog()
>> ? ? ? ?# function to send logs to)
>> ? ? ? ?unix-stream("/dev/log");
>> ? ? ? ?# messages from the kernel
>> ? ? ? ?file("/proc/kmsg" log_prefix("kernel: "));
>> ? ? ? ?# use the following line if you want to receive remote UDP logging
>> messages
>> ? ? ? ?# (this is equivalent to the "-r" syslogd flag)
>> ? ? ? ?# udp();
>> };
>>
>> -Parker
>>
>> -----Original Message-----
>> From: Jason Wallace [mailto:jason.r.wallace at ...11827...]
>> Sent: Tuesday, June 22, 2010 4:53 PM
>> To: Crook, Parker
>> Cc: snort-users at lists.sourceforge.net
>> Subject: Re: [Snort-users] Useful logging of performance statistics
>>
>> Out of curiosity what do you have for sources? Is s_all just snort logs?
>>
>> Wally
>>
>> On Tue, Jun 22, 2010 at 3:55 PM, Crook, Parker <Parker_Crook at ...14786...>
>> wrote:
>>> Good afternoon all,
>>>
>>>
>>>
>>> I recently switched over to syslog-ng in my lab environment after living
>>> with the status-quo for way too long (On Debian, Snort logs to
>>> /var/log/syslog). ?After being lazy and scrolling the few
>>> hundred/thousand
>>> lines to get to the rules and preprocessor stats in my log files, I
>>> wanted a
>>> better way. ?Now that I am using syslog-ng, I have:
>>>
>>> #DESTINATION
>>>
>>> destination snort_info { file("/var/log/snort_info"); };
>>>
>>> destination snort_warn { file("/var/log/snort_warn"); };
>>>
>>> destination snort_notice { file("/var/log/snort_notice"); };
>>>
>>> destination snort_crit { file("/var/log/snort_crit"); };
>>>
>>> destination snort_err { file("/var/log/snort_err"); };
>>>
>>> destination snort_emerg { file("/var/log/snort_emerg"); };
>>>
>>>
>>>
>>> #FILTER
>>>
>>> filter f_snort_info { level(info); };
>>>
>>> filter f_snort_notice { level(notice); };
>>>
>>> filter f_snort_warn { level(warn); };
>>>
>>> filter f_snort_crit { level(crit); };
>>>
>>> filter f_snort_err { level(err); };
>>>
>>> filter f_snort_emerg { level(emerg); };
>>>
>>>
>>>
>>> #LOG
>>>
>>> log { source(s_all); filter(f_snort_info); destination(snort_info); };
>>>
>>> log { source(s_all); filter(f_snort_notice); destination(snort_notice);
>>> };
>>>
>>> log { source(s_all); filter(f_snort_warn); destination(snort_warn); };
>>>
>>> log { source(s_all); filter(f_snort_crit); destination(snort_crit); };
>>>
>>> log { source(s_all); filter(f_snort_err); destination(snort_err); };
>>>
>>> log { source(s_all); filter(f_snort_emerg); destination(snort_emerg); };
>>>
>>>
>>>
>>> And was kind of hoping for a nice breakup of logging; alas:
>>>
>>> ? 4 drwxr-xr-x 2 snort ? ? ? snort ? 4096 2010-06-22 15:04 snort
>>>
>>> ?12 -rw-r----- 1 root ? ? ? ?adm ? ? 8465 2010-06-22 15:04 snort_err
>>>
>>> 452 -rw-r----- 1 root ? ? ? ?adm ? 455815 2010-06-22 15:17 snort_info
>>>
>>> 588 -rw-r----- 1 root ? ? ? ?adm ? 597570 2010-06-22 15:04 snort_notice
>>>
>>> 24 -rw-r----- 1 root ? ? ? ?adm ? ?22932 2010-06-22 15:04 snort_warn
>>>
>>>
>>>
>>> So I found the Preprocessor Profile Statistics & Rule Profile Statistics
>>> in
>>> snort_notice, but I still have to rummage through a bunch of cruft just
>>> to
>>> get what I am looking for. ?So my question is: ?Is there a better way? ?I
>>> want to log my rule profile & preprocessor profile statistics to a log
>>> unto
>>> themselves for easy(ier) historical comparison.
>>>
>>>
>>>
>>> Thanks,
>>>
>>> Parker
>>>
>>> ------------------------------------------------------------------------------
>>> ThinkGeek and WIRED's GeekDad team up for the Ultimate
>>> GeekDad Father's Day Giveaway. ONE MASSIVE PRIZE to the
>>> lucky parental unit. ?See the prize list and enter to win:
>>> http://p.sf.net/sfu/thinkgeek-promo
>>> _______________________________________________
>>> Snort-users mailing list
>>> Snort-users at lists.sourceforge.net
>>> Go to this URL to change user options or unsubscribe:
>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>> Snort-users list archive:
>>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>>
>>
>
>
>
> ------------------------------
>
> Message: 3
> Date: Wed, 23 Jun 2010 08:45:33 -0400
> From: "Crook, Parker" <Parker_Crook at ...14786...>
> Subject: Re: [Snort-users] Useful logging of performance statistics
> To: 'Jason Wallace' <jason.r.wallace at ...11827...>
> Cc: "snort-users at lists.sourceforge.net"
> 	<snort-users at lists.sourceforge.net>
> Message-ID:
> 	<67C1678059C61F408194E53907AFB5CC0A4160DC30 at ...14787...>
> 	
> Content-Type: text/plain; charset="iso-8859-1"
>
> Wally,
>
> Thanks for the reply -- I guess I should have been a little clearer in my
> original post:  the definitions I list here are the custom definitions, I am
> still using the default logging facilities as well, ie:
>         destination df_auth { file("/var/log/auth.log"); };
>         destination df_syslog { file("/var/log/syslog"); };
>         .
>         .
>         .
> ...along with the filters and logs.  Snort_notice only contains logs from
> Snort; however it contains what seems to be all information from starting
> and stopping Snort, whereas I am looking for a way to log the rule & preproc
> performance stats to a separate file.  I tried setting up a filter for
> syslog-ng, but the problem is that the information gets logged line by line,
> and threw off my plan of setting up a regex filter.
>
> My intent in asking this question would be: does anyone else have a
> mechanism to log this info in an easily accessible place?  If not, is there
> a good way to accomplish it (I thought about a series of regex filters
> inside of syslog-ng, but after I started bashing out a 'solution' I stepped
> back and thought, 'those are some seriously ugly pcre's' and there has got
> to be a better way)?  And of course, is anybody else using this form of
> logging for to acquire information on rule performance in their environment?
>  I have found it terribly useful.
>
> -Parker
>
> -----Original Message-----
> From: Jason Wallace [mailto:jason.r.wallace at ...11827...]
> Sent: Tuesday, June 22, 2010 7:01 PM
> To: Crook, Parker
> Cc: snort-users at lists.sourceforge.net
> Subject: Re: [Snort-users] Useful logging of performance statistics
>
> If the goal is to only have snort logs in those files then I do not
> think what you have will work. That would result in log files with all
> info logs, including system logs, in snort_info, all warn logs in
> snort_warn...etc. You need to add something to to the filters to tell
> it them you want those levels but only for snort related logs. I'm not
> in front of my box right now but I think (from memory) you might be
> looking for the "match" statement...or "program" might work.
>
> Wally
>
> On Tue, Jun 22, 2010 at 5:05 PM, Crook, Parker <Parker_Crook at ...14786...>
> wrote:
>> Wally,
>>
>> Here's my sources:
>>
>> source s_all {
>>        # message generated by Syslog-NG
>>        internal();
>>        # standard Linux log source (this is the default place for the
>> syslog()
>>        # function to send logs to)
>>        unix-stream("/dev/log");
>>        # messages from the kernel
>>        file("/proc/kmsg" log_prefix("kernel: "));
>>        # use the following line if you want to receive remote UDP logging
>> messages
>>        # (this is equivalent to the "-r" syslogd flag)
>>        # udp();
>> };
>>
>> -Parker
>>
>> -----Original Message-----
>> From: Jason Wallace [mailto:jason.r.wallace at ...11827...]
>> Sent: Tuesday, June 22, 2010 4:53 PM
>> To: Crook, Parker
>> Cc: snort-users at lists.sourceforge.net
>> Subject: Re: [Snort-users] Useful logging of performance statistics
>>
>> Out of curiosity what do you have for sources? Is s_all just snort logs?
>>
>> Wally
>>
>> On Tue, Jun 22, 2010 at 3:55 PM, Crook, Parker <Parker_Crook at ...14786...>
>> wrote:
>>> Good afternoon all,
>>>
>>>
>>>
>>> I recently switched over to syslog-ng in my lab environment after living
>>> with the status-quo for way too long (On Debian, Snort logs to
>>> /var/log/syslog).  After being lazy and scrolling the few
>>> hundred/thousand
>>> lines to get to the rules and preprocessor stats in my log files, I
>>> wanted a
>>> better way.  Now that I am using syslog-ng, I have:
>>>
>>> #DESTINATION
>>>
>>> destination snort_info { file("/var/log/snort_info"); };
>>>
>>> destination snort_warn { file("/var/log/snort_warn"); };
>>>
>>> destination snort_notice { file("/var/log/snort_notice"); };
>>>
>>> destination snort_crit { file("/var/log/snort_crit"); };
>>>
>>> destination snort_err { file("/var/log/snort_err"); };
>>>
>>> destination snort_emerg { file("/var/log/snort_emerg"); };
>>>
>>>
>>>
>>> #FILTER
>>>
>>> filter f_snort_info { level(info); };
>>>
>>> filter f_snort_notice { level(notice); };
>>>
>>> filter f_snort_warn { level(warn); };
>>>
>>> filter f_snort_crit { level(crit); };
>>>
>>> filter f_snort_err { level(err); };
>>>
>>> filter f_snort_emerg { level(emerg); };
>>>
>>>
>>>
>>> #LOG
>>>
>>> log { source(s_all); filter(f_snort_info); destination(snort_info); };
>>>
>>> log { source(s_all); filter(f_snort_notice); destination(snort_notice);
>>> };
>>>
>>> log { source(s_all); filter(f_snort_warn); destination(snort_warn); };
>>>
>>> log { source(s_all); filter(f_snort_crit); destination(snort_crit); };
>>>
>>> log { source(s_all); filter(f_snort_err); destination(snort_err); };
>>>
>>> log { source(s_all); filter(f_snort_emerg); destination(snort_emerg); };
>>>
>>>
>>>
>>> And was kind of hoping for a nice breakup of logging; alas:
>>>
>>>   4 drwxr-xr-x 2 snort       snort   4096 2010-06-22 15:04 snort
>>>
>>>  12 -rw-r----- 1 root        adm     8465 2010-06-22 15:04 snort_err
>>>
>>> 452 -rw-r----- 1 root        adm   455815 2010-06-22 15:17 snort_info
>>>
>>> 588 -rw-r----- 1 root        adm   597570 2010-06-22 15:04 snort_notice
>>>
>>> 24 -rw-r----- 1 root        adm    22932 2010-06-22 15:04 snort_warn
>>>
>>>
>>>
>>> So I found the Preprocessor Profile Statistics & Rule Profile Statistics
>>> in
>>> snort_notice, but I still have to rummage through a bunch of cruft just
>>> to
>>> get what I am looking for.  So my question is:  Is there a better way?  I
>>> want to log my rule profile & preprocessor profile statistics to a log
>>> unto
>>> themselves for easy(ier) historical comparison.
>>>
>>>
>>>
>>> Thanks,
>>>
>>> Parker
>>>
>>> ------------------------------------------------------------------------------
>>> ThinkGeek and WIRED's GeekDad team up for the Ultimate
>>> GeekDad Father's Day Giveaway. ONE MASSIVE PRIZE to the
>>> lucky parental unit.  See the prize list and enter to win:
>>> http://p.sf.net/sfu/thinkgeek-promo
>>> _______________________________________________
>>> Snort-users mailing list
>>> Snort-users at lists.sourceforge.net
>>> Go to this URL to change user options or unsubscribe:
>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>> Snort-users list archive:
>>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>>
>>
>
>
>
> ------------------------------
>
> Message: 4
> Date: Wed, 23 Jun 2010 17:32:10 -0500
> From: Nick Moore <nmoore at ...1935...>
> Subject: [Snort-users] Having problem with Barnyard
> To: snort-users at lists.sourceforge.net
> Message-ID:
> 	<AANLkTil5ROmaATG29X_P0PDOZQaXYP5h2OyNzBhn6wW2 at ...11828...>
> Content-Type: text/plain; charset="iso-8859-1"
>
> All,
>
> I'm having a problem with Barnyard putting data into MySQL. Snort is seeing
> events and the log file is increasing, but no events have yet been written
> to the database.
>
> I've attached my snort.conf and barnyard2.conf. Based on the Snort screen
> output below, I'm sure events are triggering:
>
> ===============================================================================
> Action Stats:
> ALERTS: 246
> LOGGED: 246
> PASSED: 0
> =====================
>
> I'm sure I'm overlooking something simple. If anyone can point me in the
> right direction, it would be much appreciated.
>
> Thanks!
>
> --
> Nick Moore, SFCE, CISSP, CISA
> Sr. Systems Engineer
> Voice 708-336-9041
> Email nick.moore at ...1935...
> IM    nickgmoore (Yahoo)
>       nickgmoore38 (AIM)
>
>    ,,_
>   o"  )~   Sourcefire - The Creators of Snort
>    ''''
>
> www.sourcefire.com         www.snort.org
> -------------- next part --------------
> An HTML attachment was scrubbed...
> -------------- next part --------------
> A non-text attachment was scrubbed...
> Name: barnyard2.conf
> Type: application/octet-stream
> Size: 8162 bytes
> Desc: not available
> -------------- next part --------------
> A non-text attachment was scrubbed...
> Name: snort.conf
> Type: application/octet-stream
> Size: 18090 bytes
> Desc: not available
>
> ------------------------------
>
> ------------------------------------------------------------------------------
> ThinkGeek and WIRED's GeekDad team up for the Ultimate
> GeekDad Father's Day Giveaway. ONE MASSIVE PRIZE to the
> lucky parental unit.  See the prize list and enter to win:
> http://p.sf.net/sfu/thinkgeek-promo
>
> ------------------------------
>
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-users
>
>
> End of Snort-users Digest, Vol 49, Issue 31
> *******************************************
>

-- 
Sent from my mobile device


ninad purohit
<ninadpurohit (at) gmail (dot) com>
have a nice day :-)




More information about the Snort-users mailing list