[Snort-users] Syslog Help

Kevin Ross kevross33 at ...14012...
Wed Mar 20 07:39:54 EDT 2013


Ok I have tried and nothing on loopback :( I am sure this is working
because other logging formats work so just not syslog. I have attached my
recent barnyard2.conf file and I think I already posted what it is running
as.

I ran test like this with it configured as output alert_syslog_full:
sensor_name SENSORNAME, server 127.0.0.1, protocol udp, port 514,
operation_mode default and so on as shown below:

1) test logging
snort -r /etc/snort/pcaps/kelihos.pcap -c /etc/snort/snort.conf -A console
-- OMMITED ----
OMMITED ET TROJAN Win32/Kelihos.F Checkin 7 [**] [Classification: A Network
Trojan was detected] [Priority: 1] {TCP} OMMITED:1031 -> OMMITED:80
OMMITED  [**] [1:2012707:2] ET CURRENT_EVENTS Suspicious double HTTP Header
possible botnet CnC [**] [Classification: A Network Trojan was detected]
[Priority: 1] {TCP} OMMITED:80 -> OMMITED:1031
2) Set tcpdump
 tcpdump -vvv -i lo -A -s 1524 -n 'port 514'
3) Ran again:
snort -r /etc/snort/pcaps/kelihos.pcap -c /etc/snort/snort.conf
4) confirmed it logged to mysql database.
5) I have left it all running for a while with "normal" alerts being
generated off passive interface and it logs to database fine but never
sends syslog. I have confirmed this issue on 2 different sensors I want
this to run on.

1) Snort listening to passive interface. However; in tests I am using PCAPs
of malware activity to generate alerts.
2) Snort writes to unified2
3) Barnyard 2 is picking up unified to log and writing to a remote database
so I can view it there. I have been using it this way for years with no
issue.
4) It now has the following line in but it doesn't work. Here is what I
have tried:
output alert_syslog_full: sensor_name SENSORNAME, server 127.0.0.1,
protocol udp, port 514, operation_mode default
output alert_syslog_full: sensor_name SENSORNAME, server 127.0.0.1,
protocol udp, port 514, operation_mode complete
output alert_syslog_full: sensor_name SENSORNAME, server 127.0.0.1,
protocol udp, port 514, LOG_LOCAL1, operation_mode default
output alert_syslog_full: sensor_name SENSORNAME, server 127.0.0.1,
protocol udp, port 514, LOG_LOCAL1, operation_mode complete
output alert_syslog_full: sensor_name SENSORNAME, server REAL_SERVER,
protocol udp, port 514, operation_mode default
output alert_syslog_full: sensor_name SENSORNAME, server REAL_SERVER,
protocol udp, port 514, operation_mode complete
output alert_syslog_full: sensor_name SENSORNAME, server REAL_SERVER,
protocol udp, port 514, LOG_LOCAL1, operation_mode default
output alert_syslog_full: sensor_name SENSORNAME, server REAL_SERVER,
protocol udp, port 514, LOG_LOCAL1, operation_mode complete
5) Routes are fine from these servers and I can ping, connect other ports
on syslog server etc. Syslog server known to be working as it is taking in
firewall logs and other things using different methods.
6) I have following syslog package installed on client system which is
currently running Fedora 15 although this will be getting changed soon.
 # rpm --query rsyslog
rsyslog-5.8.7-1.fc15.i686
# yum list *syslog*
Installed Packages (I then install syslog-ng in case)
rsyslog.i686                               5.8.7-1.fc15
@updates
syslog-ng.i686                             3.2.5-2.fc15
@updates
Available Packages
erlang-erlsyslog.i686                      0.1-6.fc15
fedora
perl-Unix-Syslog.i686                      1.1-7.fc15
fedora
rsyslog-gnutls.i686                        5.8.7-1.fc15
updates
rsyslog-gssapi.i686                        5.8.7-1.fc15
updates
rsyslog-libdbi.i686                        5.8.7-1.fc15
updates
rsyslog-mysql.i686                         5.8.7-1.fc15
updates
rsyslog-pgsql.i686                         5.8.7-1.fc15
updates
rsyslog-relp.i686                          5.8.7-1.fc15
updates
rsyslog-snmp.i686                          5.8.7-1.fc15
updates
rsyslog-udpspoof.i686                      5.8.7-1.fc15
updates
sblim-cmpi-syslog.i686                     0.8.0-2.fc15
fedora
sblim-cmpi-syslog-test.i686                0.8.0-2.fc15
fedora
syslog-ng.i686                             3.2.5-2.fc15
updates
syslog-ng-devel.i686                       3.2.5-2.fc15
updates
syslog-ng-libdbi.i686                      3.2.5-2.fc15
updates
7) I have completely reinstalled everything (Snort, barnyard etc). Barnyard
is configured with ./configure --with-mysql.


So is there anything else I should be looking for?
Thanks,
Kevin

On 19 March 2013 17:48, beenph <beenph at ...11827...> wrote:

> On Mon, Mar 18, 2013 at 8:20 AM, Kevin Ross <kevross33 at ...14012...>
> wrote:
> > Hi,
> >
> > I usually use unified 2 to barnyard which sends logs into mysql. Now I
> have
> > the need to send Syslog into another log collector. I haven't used syslog
> > for snort output in a while but I have never had these issues before.
> >
> > I have configured the syslog output in multiple ways and even though
> alerts
> > are processed and sent into mysql database it never generates syslog
> alerts.
> > I have captured traffic with tcpdump from the box and nothing is sent.
> Does
> > anyone have any ideas what is needed? I just need it to send generic
> syslog
> > (and I have checked the usual, network connectivity the collector is
> there,
> > firewalls not in way etc). Strange thing is when run in continuous mode
> it
> > says it is using syslog and has the IP, port, mode etc.
> >
> > Thanks for any help,
> > Kevin
> >
> > output alert_syslog_full: sensor_name NAME, server 10.X.X.X.X, protocol
> udp,
> > port 514, operation_mode default (tried complete and other options too)
> >
> > # snort -V
> >
> >    ,,_     -*> Snort! <*-
> >   o"  )~   Version 2.9.4.1 GRE (Build 69)
> >    ''''    By Martin Roesch & The Snort Team:
> > http://www.snort.org/snort/snort-team
> >            Copyright (C) 1998-2013 Sourcefire, Inc., et al.
> >            Using libpcap version 1.1.1
> >            Using PCRE version: 8.12 2011-01-15
> >            Using ZLIB version: 1.2.5
> >
> > # barnyard2 -V
> >
> >   ______   -*> Barnyard2 <*-
> >  / ,,_  \  Version 2.1.12 (Build 321)
> >  |o"  )~|  By Ian Firns (SecurixLive): http://www.securixlive.com/
> >  + '''' +  (C) Copyright 2008-2013 Ian Firns <firnsy at ...14568...>
> >
> > # ps aux | grep barn
> > root     18725 77.4  3.6  91792 73064 ?        Rs   12:11   2:29
> > /usr/local/bin barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort/
> -f
> > snort.u2 -w /var/log/snort/bylog.waldo -D
> >
> > # ps aux | grep snort
> > snort    18698 73.3 16.1 745592 325160 ?       Rsl  12:11   2:53
> > /usr/local/bin snort -D -i em1 -u snort -g snort -c
> /etc/snort/snort.conf -l
> > /var/log/snort/
> >
> >
>
>
> Are you sure your listening to the good interface and that your
> routing table is fine for your destination syslog system?
>
> #From conf for testing
> output alert_syslog_full: sensor_name NAME, server 127.0.0.20,
> protocol udp, port 514, operation_mode default
> output log_syslog_full: sensor_name NAME, server 127.0.0.20, protocol
> udp, port 514, operation_mode complete
>
>
>
> root at ...15897...:~# tcpdump -vvv -i lo -A -s 1524 -n 'port 514'
> tcpdump: listening on lo, link-type EN10MB (Ethernet), capture size 1524
> bytes
> 13:16:38.168132 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto
> UDP (17), length 124)
>     127.0.0.1.59741 > 127.0.0.20.514: [bad udp cksum 0xfe8e ->
> 0x4a72!] [|syslog]
> E..|.. at ...843...@.<\.........]...h..[1:2008017:3] Snort Alert [1:1:3]
> [Priority: 1]: {ICMP} 1.1.1.1:0 -> 1.1.1.1:0.
> 13:16:38.169031 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto
> UDP (17), length 370)
>     127.0.0.1.51788 > 127.0.0.20.514: [bad udp cksum 0xff84 ->
> 0x9663!] [|syslog]
> E..r.. at ...843...@.;f.........L...^..| [SNORTIDS[LOG]: [NAME] ] || 2013-03-14
> 12:41:48.607+-04 1 [1:1:3] Snort Alert [1:1:3] || [Unknown
> Classification] || 1 1.1.1 1.1.1.1 5 0 0 39 24721 0 0 12495 0 || 0 0
> 15293 29288 0 || 60
>
> 00E020110A95001109CF555608004500002760910000400130CF0AC800346F6F6F0B00003BBD7268000048656C6C6F2C576F726C6400000000000000
> ||
>  |.
>
>
> Seems to work as expected here.
> Can you try with loopback first?
>
> Cheers,
> -elz
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130320/8a5d4f89/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: barnyard2.conf
Type: application/octet-stream
Size: 11728 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130320/8a5d4f89/attachment.obj>


More information about the Snort-users mailing list