[Snort-users] Snort and Syslog

Doug Burks doug.burks at ...11827...
Thu Apr 4 22:53:27 EDT 2013


Could you change your command line to something like the following
(removing the -D and redirecting stdout and stderr to the log file of
your choice)?

/usr/sbin/snort -d -i eth0 -u snort -g snort -c /etc/snort/snort.conf
-l /var/log/snort/eth0 >> /var/log/snort.log 2>&1

Doug

On Thu, Apr 4, 2013 at 2:46 PM, Phil Daws <uxbod at ...14273...> wrote:
> Darn, have to look at the code and see what its logging to. Thank you.
> ----- Original Message -----
> From: "Doug Burks" <doug.burks at ...11827...>
> To: "Phil Daws" <uxbod at ...14273...>
> Cc: snort-users at lists.sourceforge.net
> Sent: Thursday, 4 April, 2013 7:37:59 PM
> Subject: Re: [Snort-users] Snort and Syslog
>
> No, in my example $LOG is being passed to the process_start function
> (not snort itself).  If I remember correctly, process_start starts the
> process *without* the -D (daemon) option, captures the process's
> stdout and stderr, and writes them to $LOG.
> Doug
>
> On Thu, Apr 4, 2013 at 2:20 PM, Phil Daws <uxbod at ...14273...> wrote:
>> Hello Doug,
>>
>> Very much appreciate the response.  At the moment with a stock Snort install it starts with the command:
>>
>> /usr/sbin/snort -d -D -i eth0 -u snort -g snort -c /etc/snort/snort.conf -l /var/log/snort/eth0
>>
>> so looking at your start script one just needs to append the logfile to the end ?
>>
>> Does that make sense ?
>>
>> ----- Original Message -----
>> From: "Doug Burks" <doug.burks at ...11827...>
>> To: "Phil Daws" <uxbod at ...14273...>
>> Cc: snort-users at lists.sourceforge.net
>> Sent: Thursday, 4 April, 2013 6:55:27 PM
>> Subject: Re: [Snort-users] Snort and Syslog
>>
>> Hi Phil,
>>
>> In Security Onion, we start Snort using the NSMnow scripts which
>> provide a function called process_start.  This function starts the
>> process and writes the log to a dedicated log file (not syslog).  In
>> the following code snippet, you can see that we're logging to $LOG,
>> which ends up being /var/log/nsm/HOSTNAME-INTERFACE/snortu-1.log.
>>
>>                 # Start $IDS_LB_PROCS instances of Snort using pfring
>> load-balancing
>>                 for i in `seq 1 $IDS_LB_PROCS`; do
>>                         PID=$PROCESS_PID_DIR/$SENSOR/snortu-$i.pid
>>                         LOG=$PROCESS_LOG_DIR/$SENSOR/snortu-$i.log
>>                         PERFMON=$SENSOR_LOG_DIR/snort-$i.stats
>>                         UNI_DIR=$SENSOR_LOG_DIR/snort-$i
>>                         mkdir -p $UNI_DIR
>>                         chown $SENSOR_USER:$SENSOR_GROUP $UNI_DIR
>>                         [ -z "$SKIP_SNORT_ALERT" ] && process_start
>> "snort" "-c $SNORT_CONFIG -u $SENSOR_USER -g $SENSOR_GROUP -i
>> $SENSOR_INTERFACE_SHORT -F /etc/nsm/$SENSOR/bpf-ids.conf -l $UNI_DIR
>> --perfmon-file $PERFMON $SNORT_OPTIONS
>> " "$PID" "$LOG" "snort-$i (alert data)"
>>                 done
>>
>> Hope that helps!
>>
>> Thanks,
>> Doug
>>
>>
>> On Thu, Apr 4, 2013 at 8:23 AM, Phil Daws <uxbod at ...14273...> wrote:
>>> Hi,
>>>
>>> When Snort starts it writes specific information to /var/log/messages eg.
>>>
>>> Apr  4 12:01:40 fw1 snort[2951]: [ Port Based Pattern Matching Memory ]
>>> Apr  4 12:01:40 fw1 snort[2951]: +- [ Aho-Corasick Summary ] -------------------------------------
>>> Apr  4 12:01:40 fw1 snort[2951]: | Storage Format    : Full-Q
>>> Apr  4 12:01:40 fw1 snort[2951]: | Finite Automaton  : DFA
>>> Apr  4 12:01:40 fw1 snort[2951]: | Alphabet Size     : 256 Chars
>>> Apr  4 12:01:40 fw1 snort[2951]: | Sizeof State      : Variable (1,2,4 bytes)
>>> Apr  4 12:01:40 fw1 snort[2951]: | Instances         : 294
>>> Apr  4 12:01:40 fw1 snort[2951]: |     1 byte states : 275
>>> Apr  4 12:01:40 fw1 snort[2951]: |     2 byte states : 19
>>> Apr  4 12:01:40 fw1 snort[2951]: |     4 byte states : 0
>>> Apr  4 12:01:40 fw1 snort[2951]: | Characters        : 249637
>>>
>>> How can I redirect those messages to a separate file as it plays havoc with OSSEC :) I have tried adding snort.none to rsyslog.conf for /var/log/messages and then added snort.* to direct too another file. That did not work :(
>>>
>>> Any thoughts please ?
>>>
>>> ------------------------------------------------------------------------------
>>> Minimize network downtime and maximize team effectiveness.
>>> Reduce network management and security costs.Learn how to hire
>>> the most talented Cisco Certified professionals. Visit the
>>> Employer Resources Portal
>>> http://www.cisco.com/web/learning/employer_resources/index.html
>>> _______________________________________________
>>> Snort-users mailing list
>>> Snort-users at lists.sourceforge.net
>>> Go to this URL to change user options or unsubscribe:
>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>> Snort-users list archive:
>>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>>>
>>> Please visit http://blog.snort.org to stay current on all the latest Snort news!
>>
>>
>>
>> --
>> Doug Burks
>> http://securityonion.blogspot.com
>
>
>
> --
> Doug Burks
> http://securityonion.blogspot.com



-- 
Doug Burks
http://securityonion.blogspot.com




More information about the Snort-users mailing list