Snort IDS remote logs suppressed when OpenAppID enabled
-
-
That is not by design. Are you saying all Snort log entries fail to export or just the OpenAppID entries?
Really can't see how OpenAppID would have any impact on syslog logging. You aren't by some means getting a block on the remote syslog server are you? Maybe from an OpenAppID rule or something ???
Do you see any errors about Snort in the pfSense system log?
-
@bmeeks yes all snort items are blocked. This can be easily reproduced.
So if this is not by design. The next question is what logs or info is needed from me to get the bug issue created?
-
First I need to see if I can reproduce this myself. I really and truly at this point can't envision any way that enabling OpenAppID could mess with remote syslog.
How are you using remote syslog? Are you configuring this through the pfSense system log options, or are you using Barnyard2 perhaps?
-
@bmeeks Hello Bmeeks, Im assume you are one one the staff members willing to investigate this issue?
So with that said, there are 3 remote syslog server points on pfesense (system logs, snort/ids logs, barnyard2logs) configured to serve up packets to my syslog server. Each point has the same ip but different ports. -
@InfnBiz
No, there is no staff support for Snort or Suricata. I am a volunteer package maintainer for those packages. In fact, the vast majority of the pfSense packages are supported by volunteers.This statement is incorrect:
So with that said, there are 3 remote syslog server points on pfesense (system logs, snort/ids logs, barnyard2logs)
There is no built-in mechanism within just Snort for remote syslog servers. You must either configure Barnyard2 for syslog export or use the built-in pfSense remote syslog option to export all system logs to a remote server. In order for that last method to work with Snort, you must then configure the option on the INTERFACE SETTINGS tab to log Snort alerts to the system log.
So which of these two methods are you using?
-
All pfSense system logs are being exported to a remote syslog server and Snort is configured to log to the system log for the interface in question;
-
Barnyard2 is configured on the interface and Barnyard2 is configured for remote syslog logging.
-