Snort alert logging
-
Snort is installed using mostly defaults. Logging of alerts is enabled and the system log facility is LOG_AUTH. Snort is completely flooding the general log. I guess that's expected, since it doesn't have its own log. Other logs can be selected, but it's not obvious (to me) what they are.
I raised a bug that snort was flooding the general log because it doesn't have its own log, but no idea if anything will be done (or even should be done). Here is the only reply:
Do you have it configured to log alerts to the system log? Otherwise, it does not put too much info into the system log other than some messages from the scheduled rule updates. Logging alerts to the sytem log is not the best idea because that can cause a lot of stuff in the log. Better to use Barnyard2 and either its remote syslog option or one of the SQL DB options there.
What is the recommended setting for snort logs, in particular to prevent flooding the general log? Is barnyard2 the way to go or are there other solutions?
Also, when I was using Sophos UTM, it had a very nice built-in reporting facility so you could get a good idea what alerts are being raised and from where. Is there a reporting facility for snort?
-
Look in the settings for each interface under Snort.
In the Interface settings, under Alert settings, you can set the Facility and Priority for your logs.
Change the facility to something else and you can redirect the logs to a different file.
For example, maybe set your WAN to LOG_LOCAL_0 and your LAN to LOG_LOCAL_1.
Then you just have to edit lines in your /var/etc/syslog.conf file.
You'll see lines in there that already exist for local3, local4, local5, and local7… so don't use those facilities in your Snort configs.
This way you can direct only your snort alert traffic to a dedicated file.
-
Thanks for the reply. I saw those settings, but I have no idea what they mean or how to modify them without breaking something. With regards to syslog.conf, I don't see snort mentioned anywhere, though I see auth.info on the same line as %/var/log/system.log. If I was to add a line for %/var/log/snort.log, would it appear as a pulldown in the short settings and if so, would it appear as a tab in system logs? Again, I don't know how this works and I don't want to break something.
-
Sorry for the long delay.
Log events in syslog use tags called "facility" and "severity". The facility tells syslog where the event is coming from, so it knows how to handle that event traffic.
The severlity indicates how severe the event is… whether it's debug information, an error, a warning, something critical, etc.When you are in Snort, configure the log for one of the LOCALs that are not being used. For example, let's say you want to use LOG_LOCAL_1.
That tells snort to use the "facility" called LOCAL1 for logging.
When syslog gets a log event, it directs the event based on the information in the syslog.conf file. So when a log comes in for LOCAL1, you can direct it to a specific log.
You can name the file there in the syslog.conf file.
So you want a line similar to those for LOCAL3 or LOCAL4 that are already in the syslog.conf file, but in this case, use LOCAL1, or whichever facility you choose. Then on that line, you can name the file that you want the information to go to for log events that match that facility.
I don't have access to mine right now, but if you want a more definitive answer with what it should look like, I can get that for you later this afternoon or tonight.
-
Thank you for the reply. I will give it a try on my test system and report back.
-
Taking another look at this. Sorry if my questions are overly pedantic. I just don't want to break my system.
I have attached the snort log facility options and the tabs in status / system logs / system / general from my system. Presumably they are the same as any other system.
Here is unedited syslog.conf. I can see a rough correspondence between syslog.conf and the tabs.
!radvd,routed,olsrd,zebra,ospfd,bgpd,miniupnpd *.* %/var/log/routing.log !ntp,ntpd,ntpdate *.* %/var/log/ntpd.log !ppp *.* %/var/log/ppp.log !poes *.* %/var/log/poes.log !l2tps *.* %/var/log/l2tps.log !charon,ipsec_starter *.* %/var/log/ipsec.log !openvpn *.* %/var/log/openvpn.log !dpinger *.* %/var/log/gateways.log !dnsmasq,named,filterdns,unbound *.* %/var/log/resolver.log !dhcpd,dhcrelay,dhclient,dhcp6c,dhcpleases,dhcpleases6 *.* %/var/log/dhcpd.log !relayd *.* %/var/log/relayd.log !hostapd *.* %/var/log/wireless.log !filterlog *.* %/var/log/filter.log !-ntp,ntpd,ntpdate,charon,ipsec_starter,openvpn,poes,l2tps,relayd,hostapd,dnsmasq,named,filterdns,unbound,dhcpd,dhcrelay,dhclient,dhcp6c,dpinger,radvd,routed,olsrd,zebra,ospfd,bgpd,miniupnpd,filterlog local3.* %/var/log/vpn.log local4.* %/var/log/portalauth.log local5.* %/var/log/nginx.log local7.* %/var/log/dhcpd.log *.notice;kern.debug;lpr.info;mail.crit;daemon.none;news.err;local0.none;local3.none;local4.none;local7.none;security.*;auth.info;authpriv.info;daemon.info %/var/log/system.log auth.info;authpriv.info |exec /usr/local/sbin/sshlockout_pf 15 *.emerg *Looking at the "local" subsection:
local3.* %/var/log/vpn.log local4.* %/var/log/portalauth.log local5.* %/var/log/nginx.log local7.* %/var/log/dhcpd.log *.notice;kern.debug;lpr.info;mail.crit;daemon.none;news.err;local0.none;local3.none;local4.none;local7.none;security.*;auth.info;authpriv.info;daemon.info %/var/log/system.log ```I see that local3-7 are used. What is the significance of the entries "local0.none;local3.none;local4.none;local7.none" in the line for %/var/log/system.log? Are they there only in case a specific log file is not specified above? Why are there not entries for local1.none, local2.none, local5.none and local6.none? If I understand you correctly, to use the facility LOG_LOCAL2 for snort, I would make this change:local2.* %/var/log/snort.log
If I do this, where will I see the log entries? Thank you very much.    