[Snort-users] Snort and Syslog

Doug Burks doug.burks at ...11827...
Thu Apr 4 14:37:59 EDT 2013


No, in my example $LOG is being passed to the process_start function
(not snort itself).  If I remember correctly, process_start starts the
process *without* the -D (daemon) option, captures the process's
stdout and stderr, and writes them to $LOG.
Doug

On Thu, Apr 4, 2013 at 2:20 PM, Phil Daws <uxbod at ...14273...> wrote:
> Hello Doug,
>
> Very much appreciate the response.  At the moment with a stock Snort install it starts with the command:
>
> /usr/sbin/snort -d -D -i eth0 -u snort -g snort -c /etc/snort/snort.conf -l /var/log/snort/eth0
>
> so looking at your start script one just needs to append the logfile to the end ?
>
> Does that make sense ?
>
> ----- Original Message -----
> From: "Doug Burks" <doug.burks at ...11827...>
> To: "Phil Daws" <uxbod at ...14273...>
> Cc: snort-users at lists.sourceforge.net
> Sent: Thursday, 4 April, 2013 6:55:27 PM
> Subject: Re: [Snort-users] Snort and Syslog
>
> Hi Phil,
>
> In Security Onion, we start Snort using the NSMnow scripts which
> provide a function called process_start.  This function starts the
> process and writes the log to a dedicated log file (not syslog).  In
> the following code snippet, you can see that we're logging to $LOG,
> which ends up being /var/log/nsm/HOSTNAME-INTERFACE/snortu-1.log.
>
>                 # Start $IDS_LB_PROCS instances of Snort using pfring
> load-balancing
>                 for i in `seq 1 $IDS_LB_PROCS`; do
>                         PID=$PROCESS_PID_DIR/$SENSOR/snortu-$i.pid
>                         LOG=$PROCESS_LOG_DIR/$SENSOR/snortu-$i.log
>                         PERFMON=$SENSOR_LOG_DIR/snort-$i.stats
>                         UNI_DIR=$SENSOR_LOG_DIR/snort-$i
>                         mkdir -p $UNI_DIR
>                         chown $SENSOR_USER:$SENSOR_GROUP $UNI_DIR
>                         [ -z "$SKIP_SNORT_ALERT" ] && process_start
> "snort" "-c $SNORT_CONFIG -u $SENSOR_USER -g $SENSOR_GROUP -i
> $SENSOR_INTERFACE_SHORT -F /etc/nsm/$SENSOR/bpf-ids.conf -l $UNI_DIR
> --perfmon-file $PERFMON $SNORT_OPTIONS
> " "$PID" "$LOG" "snort-$i (alert data)"
>                 done
>
> Hope that helps!
>
> Thanks,
> Doug
>
>
> On Thu, Apr 4, 2013 at 8:23 AM, Phil Daws <uxbod at ...14273...> wrote:
>> Hi,
>>
>> When Snort starts it writes specific information to /var/log/messages eg.
>>
>> Apr  4 12:01:40 fw1 snort[2951]: [ Port Based Pattern Matching Memory ]
>> Apr  4 12:01:40 fw1 snort[2951]: +- [ Aho-Corasick Summary ] -------------------------------------
>> Apr  4 12:01:40 fw1 snort[2951]: | Storage Format    : Full-Q
>> Apr  4 12:01:40 fw1 snort[2951]: | Finite Automaton  : DFA
>> Apr  4 12:01:40 fw1 snort[2951]: | Alphabet Size     : 256 Chars
>> Apr  4 12:01:40 fw1 snort[2951]: | Sizeof State      : Variable (1,2,4 bytes)
>> Apr  4 12:01:40 fw1 snort[2951]: | Instances         : 294
>> Apr  4 12:01:40 fw1 snort[2951]: |     1 byte states : 275
>> Apr  4 12:01:40 fw1 snort[2951]: |     2 byte states : 19
>> Apr  4 12:01:40 fw1 snort[2951]: |     4 byte states : 0
>> Apr  4 12:01:40 fw1 snort[2951]: | Characters        : 249637
>>
>> How can I redirect those messages to a separate file as it plays havoc with OSSEC :) I have tried adding snort.none to rsyslog.conf for /var/log/messages and then added snort.* to direct too another file. That did not work :(
>>
>> Any thoughts please ?
>>
>> ------------------------------------------------------------------------------
>> Minimize network downtime and maximize team effectiveness.
>> Reduce network management and security costs.Learn how to hire
>> the most talented Cisco Certified professionals. Visit the
>> Employer Resources Portal
>> http://www.cisco.com/web/learning/employer_resources/index.html
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>>
>> Please visit http://blog.snort.org to stay current on all the latest Snort news!
>
>
>
> --
> Doug Burks
> http://securityonion.blogspot.com



-- 
Doug Burks
http://securityonion.blogspot.com




More information about the Snort-users mailing list