Are Snort Intrusion Alerts Automatically Saved on the Harddisk by Default?

Teo En Ming

Hi,

I came across some Snort IDS settings.

The first setting is:

Services / Snort / Edit Interface / WAN

Snort will send Alerts to the firewall's system logs

The 2nd setting is:

Services / Snort / Alerts

Download Alert Log Actions

Does these mean that Snort IDS will not save intrusion alerts automatically to the filesystem by default?

If Snort IDS does save intrusion alerts automatically on the harddisk by default, where are they saved, ie. full path?

NogBadTheBad

They'll be under /var/log/snort :-

[2.4.2-RELEASE][admin@pfsense]/var/log/snort: ls -alg
total 100
drwxr-xr-x  9 root  wheel    512 Jan  5 20:52 .
drwxr-xr-x  7 root  wheel  1024 Dec 19 20:59 ..
-rw-rw–--  1 root  wheel      0 Dec 22 12:17 alert
drw-rw–--  3 root  wheel  4096 Jan 15 11:15 snort_igb0.256577
drw-rw----  3 root  wheel    512 Jan 13 00:08 snort_igb0.343654
drw-rw----  3 root  wheel  2048 Jan 15 00:20 snort_igb0.427080
drw-rw----  3 root  wheel  3072 Jan 15 00:20 snort_igb0.516395
drw-rw----  3 root  wheel  2048 Jan 15 00:20 snort_igb0.658303
drw-rw----  3 root  wheel    512 Dec 19 21:10 snort_igb035478
drw-rw----  3 root  wheel  12288 Jan 15 09:05 snort_pppoe054518
-rw-rw–--  1 root  wheel  56255 Jan 15 18:05 snort_rules_update.log
[2.4.2-RELEASE][admin@pfsense]/var/log/snort:

The entries in red are directories, the info is stored under here.