Snort logs with details



  • Is there anywhere I can see the actual events in more details? For instance when there are reported remote include events, PHP-info etc, it would be usefull to be able to see what website/URL/post/get-request that is actually triggering the snort-rule.

    Generic Remote File Include Attempt (HTTPS)



  • I have been searching for this as well. When running my own snort server with mysql i could view the alert and then expand it to view a partial payload. If anyone has information on how to view more of the data within pfsense that would be great.



  • I figured out a way to do it. I am not sure if this is the best or only way but it works

    turn on ssh
    https://doc.pfsense.org/index.php/HOWTO_enable_SSH_access

    obtain an SFTP client and wireshark
    either connect with a linux workstation (most have ssh/sftp clients and have wirehsark packages) or on Windows can use something like Filezilla for SFTP

    if downloading for Windows, run any downloads through Virustotal

    If installing Wireshark on Windows to only read packet captures then during the setup dont install WinPcap or USBCap

    connect to the pfsense server with filezilla and go to /var/log/snort/<interface>/ 
    download snort.log.xxxxx
    turn off ssh
    Run Wireshark and look at the data

    Something i could not figure out - i wanted to create a user account just for this and added the user to the admin group but it could not get to the interface log folder. had to use the admin account</interface>



  • @jgkpffrm:

    connect to the pfsense server with filezilla and go to /var/log/snort/<interface>/ 
    download snort.log.xxxxx
    turn off ssh
    Run Wireshark and look at the data</interface>

    What you mean is to use wireshark on a local PC and run an analyzer-session against the log-file (snort.log.xxxx)?

    Does this mean that snort.log.xxxx in reality has all the data, it is just more readable through WireShark?


Log in to reply