[Snort-users] Syslog Help

beenph beenph at ...11827...
Tue Mar 19 13:48:44 EDT 2013


On Mon, Mar 18, 2013 at 8:20 AM, Kevin Ross <kevross33 at ...14012...> wrote:
> Hi,
>
> I usually use unified 2 to barnyard which sends logs into mysql. Now I have
> the need to send Syslog into another log collector. I haven't used syslog
> for snort output in a while but I have never had these issues before.
>
> I have configured the syslog output in multiple ways and even though alerts
> are processed and sent into mysql database it never generates syslog alerts.
> I have captured traffic with tcpdump from the box and nothing is sent. Does
> anyone have any ideas what is needed? I just need it to send generic syslog
> (and I have checked the usual, network connectivity the collector is there,
> firewalls not in way etc). Strange thing is when run in continuous mode it
> says it is using syslog and has the IP, port, mode etc.
>
> Thanks for any help,
> Kevin
>
> output alert_syslog_full: sensor_name NAME, server 10.X.X.X.X, protocol udp,
> port 514, operation_mode default (tried complete and other options too)
>
> # snort -V
>
>    ,,_     -*> Snort! <*-
>   o"  )~   Version 2.9.4.1 GRE (Build 69)
>    ''''    By Martin Roesch & The Snort Team:
> http://www.snort.org/snort/snort-team
>            Copyright (C) 1998-2013 Sourcefire, Inc., et al.
>            Using libpcap version 1.1.1
>            Using PCRE version: 8.12 2011-01-15
>            Using ZLIB version: 1.2.5
>
> # barnyard2 -V
>
>   ______   -*> Barnyard2 <*-
>  / ,,_  \  Version 2.1.12 (Build 321)
>  |o"  )~|  By Ian Firns (SecurixLive): http://www.securixlive.com/
>  + '''' +  (C) Copyright 2008-2013 Ian Firns <firnsy at ...14568...>
>
> # ps aux | grep barn
> root     18725 77.4  3.6  91792 73064 ?        Rs   12:11   2:29
> /usr/local/bin barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort/ -f
> snort.u2 -w /var/log/snort/bylog.waldo -D
>
> # ps aux | grep snort
> snort    18698 73.3 16.1 745592 325160 ?       Rsl  12:11   2:53
> /usr/local/bin snort -D -i em1 -u snort -g snort -c /etc/snort/snort.conf -l
> /var/log/snort/
>
>


Are you sure your listening to the good interface and that your
routing table is fine for your destination syslog system?

#From conf for testing
output alert_syslog_full: sensor_name NAME, server 127.0.0.20,
protocol udp, port 514, operation_mode default
output log_syslog_full: sensor_name NAME, server 127.0.0.20, protocol
udp, port 514, operation_mode complete



root at ...15897...:~# tcpdump -vvv -i lo -A -s 1524 -n 'port 514'
tcpdump: listening on lo, link-type EN10MB (Ethernet), capture size 1524 bytes
13:16:38.168132 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto
UDP (17), length 124)
    127.0.0.1.59741 > 127.0.0.20.514: [bad udp cksum 0xfe8e ->
0x4a72!] [|syslog]
E..|.. at ...843...@.<\.........]...h..[1:2008017:3] Snort Alert [1:1:3]
[Priority: 1]: {ICMP} 1.1.1.1:0 -> 1.1.1.1:0.
13:16:38.169031 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto
UDP (17), length 370)
    127.0.0.1.51788 > 127.0.0.20.514: [bad udp cksum 0xff84 ->
0x9663!] [|syslog]
E..r.. at ...843...@.;f.........L...^..| [SNORTIDS[LOG]: [NAME] ] || 2013-03-14
12:41:48.607+-04 1 [1:1:3] Snort Alert [1:1:3] || [Unknown
Classification] || 1 1.1.1 1.1.1.1 5 0 0 39 24721 0 0 12495 0 || 0 0
15293 29288 0 || 60
00E020110A95001109CF555608004500002760910000400130CF0AC800346F6F6F0B00003BBD7268000048656C6C6F2C576F726C6400000000000000
||
 |.


Seems to work as expected here.
Can you try with loopback first?

Cheers,
-elz




More information about the Snort-users mailing list