Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Snort IDS remote logs suppressed when OpenAppID enabled

    Scheduled Pinned Locked Moved IDS/IPS
    6 Posts 2 Posters 817 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • I
      InfnBiz
      last edited by

      hello everyone,

      Im not sure if this is by design or a bug but i have learned that when i enable OpenAppId my SnortIDS logs fail to export to remote syslog server.

      has anyone else experienced this behavior?

      Versions

      pfsense 2.4.4-RELEASE-p3
      snort 3.2.9.10

      1 Reply Last reply Reply Quote 0
      • bmeeksB
        bmeeks
        last edited by bmeeks

        That is not by design. Are you saying all Snort log entries fail to export or just the OpenAppID entries?

        Really can't see how OpenAppID would have any impact on syslog logging. You aren't by some means getting a block on the remote syslog server are you? Maybe from an OpenAppID rule or something ???

        Do you see any errors about Snort in the pfSense system log?

        I 1 Reply Last reply Reply Quote 0
        • I
          InfnBiz @bmeeks
          last edited by

          @bmeeks yes all snort items are blocked. This can be easily reproduced.

          So if this is not by design. The next question is what logs or info is needed from me to get the bug issue created?

          1 Reply Last reply Reply Quote 0
          • bmeeksB
            bmeeks
            last edited by

            First I need to see if I can reproduce this myself. I really and truly at this point can't envision any way that enabling OpenAppID could mess with remote syslog.

            How are you using remote syslog? Are you configuring this through the pfSense system log options, or are you using Barnyard2 perhaps?

            I 1 Reply Last reply Reply Quote 0
            • I
              InfnBiz @bmeeks
              last edited by

              @bmeeks Hello Bmeeks, Im assume you are one one the staff members willing to investigate this issue?
              So with that said, there are 3 remote syslog server points on pfesense (system logs, snort/ids logs, barnyard2logs) configured to serve up packets to my syslog server. Each point has the same ip but different ports.

              bmeeksB 1 Reply Last reply Reply Quote 0
              • bmeeksB
                bmeeks @InfnBiz
                last edited by bmeeks

                @InfnBiz
                No, there is no staff support for Snort or Suricata. I am a volunteer package maintainer for those packages. In fact, the vast majority of the pfSense packages are supported by volunteers.

                This statement is incorrect:

                So with that said, there are 3 remote syslog server points on pfesense (system logs, snort/ids logs, barnyard2logs)

                There is no built-in mechanism within just Snort for remote syslog servers. You must either configure Barnyard2 for syslog export or use the built-in pfSense remote syslog option to export all system logs to a remote server. In order for that last method to work with Snort, you must then configure the option on the INTERFACE SETTINGS tab to log Snort alerts to the system log.

                So which of these two methods are you using?

                1. All pfSense system logs are being exported to a remote syslog server and Snort is configured to log to the system log for the interface in question;

                2. Barnyard2 is configured on the interface and Barnyard2 is configured for remote syslog logging.

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.