[Snort-users] Snort+ and logging

Russ rucombs at cisco.com
Fri Sep 21 10:48:55 EDT 2018



On 9/20/18 4:55 PM, Meridoff via Snort-users wrote:
>
>
> чт, 20 сент. 2018 г. в 19:48, Andy Swartzbaugh 
> <andy.swartzbaugh at gmail.com <mailto:andy.swartzbaugh at gmail.com>>:
>
>     1)  My understanding is that Barnyard was a remedy to cope with
>     Snort2's single-processor (i.e., not multi-processing) design and
>     that Snort3 should be able to handle logging without needing
>     another process to handle the logging.
>
>
> It is true. But Barny2 is able to send alerts to BD or remote syslog - 
> it is usefull..Snort3 now doesn't support it
Snort 3 can integrate with Barnyard 2 with this configuration:

     bool unified2.legacy_events = false: generate Snort 2.X style 
events for barnyard2 compatibility

The problem is that Snort 3 generates more and different data than BY2 
can process.  An alternative is to use JSON and elastic stack or 
splunk.  See e.g. 
https://blog.snort.org/2017/11/snort-30-with-elasticsearch-logstash.html.
>
>     2) from
>     www.snort.org/downloads/snortplus/snort_manual.html#_sniffing_and_logging
>     <http://www.snort.org/downloads/snortplus/snort_manual.html#_sniffing_and_logging>
>     :
>
>     snort --pcap-dir /path/to/pcap/dir --pcap-filter '*.pcap' -L dump
>     -l /path/to/log/dir
>
>     from
>     www.snort.org/downloads/snortplus/snort_manual.html#_alert_syslog
>     <http://www.snort.org/downloads/snortplus/snort_manual.html#_alert_syslog>
>     :
>
>     This must be done in snort.lua as opposed to the command line:
>
>     alert_syslog =
>     {
>             facility = local3,
>             level = info,
>
>     }
>
Just to clarify, facility and level are strings so level = 'info' etc. 
(enums take string values):

$ snort --help-config alert_syslog
enum alert_syslog.facility = auth: part of priority applied to each 
message { auth | authpriv | daemon | user | local0 | local1 | local2 | 
local3 | local4 | local5 | local6 | local7 }
enum alert_syslog.level = info: part of priority applied to each message 
{ emerg | alert | crit | err | warning | notice | info | debug }
multi alert_syslog.options: used to open the syslog connection { cons | 
ndelay | perror | pid }

>
> It is true for alerts. But I've asked about snort process (daemon) log 
> . Nevertheless - thank you for info, it is usefull.
>
>     If you wanted to send the logs to another server, that would be
>     handled within rsyslogd (I use Ubuntu).  Create a file named
>     "/etc/rsyslog.d/10-snort.conf" : (the lower the number, the higher
>     the priority) :
>
>     and put the following line in it:
>
>     local3.* @loghost
>
>
>
>
>
>     On Thu, Sep 20, 2018 at 8:52 AM Meridoff via Snort-users
>     <snort-users at lists.snort.org <mailto:snort-users at lists.snort.org>>
>     wrote:
>
>         Hello, I've heared that barnyard2 is out of date for snort3.
>         Though it can be used .
>
>         1. What are the alternative (to barnyard2) ways for logging
>         snort3 alerts to remote data-bases or remote syslog etc ? May
>         be it will be included in snort3 project in future?
>
>         2.Small question - snort3 itself writes its own log to syslog
>         (-M option). What are the ways to specifiy internal daemon
>         logging  methods : to file or syslog LEVEL ot smth orher ? I
>         found nothing concering this  in config
>
>         Thanks for response
>         _______________________________________________
>         Snort-users mailing list
>         Snort-users at lists.snort.org <mailto:Snort-users at lists.snort.org>
>         Go to this URL to change user options or unsubscribe:
>         https://lists.snort.org/mailman/listinfo/snort-users
>
>                 To unsubscribe, send an email to:
>         snort-users-leave at lists.snort.org
>         <mailto:snort-users-leave at lists.snort.org>
>
>         Please visit http://blog.snort.org to stay current on all the
>         latest Snort news!
>
>         Please follow these rules:
>         https://snort.org/faq/what-is-the-mailing-list-etiquette
>
>
>
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.snort.org
> Go to this URL to change user options or unsubscribe:
> https://lists.snort.org/mailman/listinfo/snort-users
>
> 	To unsubscribe, send an email to:
> 	snort-users-leave at lists.snort.org
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!
>
> Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20180921/26a5d124/attachment.html>


More information about the Snort-users mailing list