[Snort-users] Snort and Syslog

Jefferson, Shawn Shawn.Jefferson at ...14448...
Fri Apr 5 18:30:55 EDT 2013

It’s actually pretty easy to suppress these in OSSEC.  I have a couple rules, but the one I use for ignoring these syslog events that trigger OSSEC rule id 1002 (error somewhere in the system):

  <rule id="101000" level="0">
    <match>Check for Bounce Attacks:|Bad Message Direction Alert:|Bad Payload Size Alert:|Bad Chk Sum:|Bad TTL:|Bad autodetects:|Bad handshakes:</match>
    <description>Ignoring syslog events from snort startup</description>

From: Phil Daws [mailto:uxbod at ...14273...]
Sent: Thursday, April 04, 2013 11:50 AM
To: Jeremy Hoel
Cc: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] Snort and Syslog

Hi Jeremy,

How many rules would be require in OSSEC to suppress those entries! ;)  The issue is how to make Snort write to a different file than syslog.  I do not wish to suppress the Snort info just redirect to a different file so that I can pick the juicy bits out to monitor.  Appreciate the input.


From: "Jeremy Hoel" <jthoel at ...11827...<mailto:jthoel at ...11827...>>
To: "Phil Daws" <uxbod at ...14273...<mailto:uxbod at ...14273...>>
Cc: snort-users at lists.sourceforge.net<mailto:snort-users at lists.sourceforge.net>
Sent: Thursday, 4 April, 2013 4:45:24 PM
Subject: Re: [Snort-users] Snort and Syslog

In OSSEC make a local rule to ignore the file and the process?

Or setup snort to not output to syslog..

and you might try running snort with the '-q' flag and see if it's quieter in the logs.

On Thu, Apr 4, 2013 at 12:23 PM, Phil Daws <uxbod at ...14273...<mailto:uxbod at ...14273...>> wrote:

When Snort starts it writes specific information to /var/log/messages eg.

Apr  4 12:01:40 fw1 snort[2951]: [ Port Based Pattern Matching Memory ]
Apr  4 12:01:40 fw1 snort[2951]: +- [ Aho-Corasick Summary ] -------------------------------------
Apr  4 12:01:40 fw1 snort[2951]: | Storage Format    : Full-Q
Apr  4 12:01:40 fw1 snort[2951]: | Finite Automaton  : DFA
Apr  4 12:01:40 fw1 snort[2951]: | Alphabet Size     : 256 Chars
Apr  4 12:01:40 fw1 snort[2951]: | Sizeof State      : Variable (1,2,4 bytes)
Apr  4 12:01:40 fw1 snort[2951]: | Instances         : 294
Apr  4 12:01:40 fw1 snort[2951]: |     1 byte states : 275
Apr  4 12:01:40 fw1 snort[2951]: |     2 byte states : 19
Apr  4 12:01:40 fw1 snort[2951]: |     4 byte states : 0
Apr  4 12:01:40 fw1 snort[2951]: | Characters        : 249637

How can I redirect those messages to a separate file as it plays havoc with OSSEC :) I have tried adding snort.none to rsyslog.conf for /var/log/messages and then added snort.* to direct too another file. That did not work :(

Any thoughts please ?

Minimize network downtime and maximize team effectiveness.
Reduce network management and security costs.Learn how to hire
the most talented Cisco Certified professionals. Visit the
Employer Resources Portal
Snort-users mailing list
Snort-users at lists.sourceforge.net<mailto:Snort-users at lists.sourceforge.net>
Go to this URL to change user options or unsubscribe:
Snort-users list archive:

Please visit http://blog.snort.org to stay current on all the latest Snort news!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130405/3606e472/attachment.html>

More information about the Snort-users mailing list