Snort logs with details
-
Is there anywhere I can see the actual events in more details? For instance when there are reported remote include events, PHP-info etc, it would be usefull to be able to see what website/URL/post/get-request that is actually triggering the snort-rule.
Generic Remote File Include Attempt (HTTPS)
-
I have been searching for this as well. When running my own snort server with mysql i could view the alert and then expand it to view a partial payload. If anyone has information on how to view more of the data within pfsense that would be great.
-
I figured out a way to do it. I am not sure if this is the best or only way but it works
turn on ssh
https://doc.pfsense.org/index.php/HOWTO_enable_SSH_accessobtain an SFTP client and wireshark
either connect with a linux workstation (most have ssh/sftp clients and have wirehsark packages) or on Windows can use something like Filezilla for SFTPif downloading for Windows, run any downloads through Virustotal
If installing Wireshark on Windows to only read packet captures then during the setup dont install WinPcap or USBCap
connect to the pfsense server with filezilla and go to /var/log/snort/<interface>/
download snort.log.xxxxx
turn off ssh
Run Wireshark and look at the dataSomething i could not figure out - i wanted to create a user account just for this and added the user to the admin group but it could not get to the interface log folder. had to use the admin account</interface>
-
connect to the pfsense server with filezilla and go to /var/log/snort/<interface>/
download snort.log.xxxxx
turn off ssh
Run Wireshark and look at the data</interface>What you mean is to use wireshark on a local PC and run an analyzer-session against the log-file (snort.log.xxxx)?
Does this mean that snort.log.xxxx in reality has all the data, it is just more readable through WireShark?