Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Snort logs with details

    IDS/IPS
    2
    4
    1744
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • F
      fireix last edited by

      Is there anywhere I can see the actual events in more details? For instance when there are reported remote include events, PHP-info etc, it would be usefull to be able to see what website/URL/post/get-request that is actually triggering the snort-rule.

      Generic Remote File Include Attempt (HTTPS)

      1 Reply Last reply Reply Quote 0
      • J
        jgkpffrm last edited by

        I have been searching for this as well. When running my own snort server with mysql i could view the alert and then expand it to view a partial payload. If anyone has information on how to view more of the data within pfsense that would be great.

        1 Reply Last reply Reply Quote 0
        • J
          jgkpffrm last edited by

          I figured out a way to do it. I am not sure if this is the best or only way but it works

          turn on ssh
          https://doc.pfsense.org/index.php/HOWTO_enable_SSH_access

          obtain an SFTP client and wireshark
          either connect with a linux workstation (most have ssh/sftp clients and have wirehsark packages) or on Windows can use something like Filezilla for SFTP

          if downloading for Windows, run any downloads through Virustotal

          If installing Wireshark on Windows to only read packet captures then during the setup dont install WinPcap or USBCap

          connect to the pfsense server with filezilla and go to /var/log/snort/<interface>/ 
          download snort.log.xxxxx
          turn off ssh
          Run Wireshark and look at the data

          Something i could not figure out - i wanted to create a user account just for this and added the user to the admin group but it could not get to the interface log folder. had to use the admin account</interface>

          1 Reply Last reply Reply Quote 0
          • F
            fireix last edited by

            @jgkpffrm:

            connect to the pfsense server with filezilla and go to /var/log/snort/<interface>/ 
            download snort.log.xxxxx
            turn off ssh
            Run Wireshark and look at the data</interface>

            What you mean is to use wireshark on a local PC and run an analyzer-session against the log-file (snort.log.xxxx)?

            Does this mean that snort.log.xxxx in reality has all the data, it is just more readable through WireShark?

            1 Reply Last reply Reply Quote 0
            • First post
              Last post