Snort alert logging

serbus

Hello!

Running 2.4.5-RELEASE-p1 with snort 4.1.2_3
Snort auto log management is enabled
The alert log thresholds are set to 500kb and 14 days

I have a wan interface that generates a good number of alerts. Sometimes, when I go to view the alerts for that interface, the list is empty, which seems odd.

When I look at the /var/log/snort/snort_igb0xxxx directory I see :

-rw-------  1 root  wheel  702536 Jan 19 14:55 alert.1611018900
-rw-r--r--  1 root  wheel       0 Jan 18 19:15 alert
-rw-r--r--  1 root  wheel  511900 Jan 16 21:16 alert.1610853438
-rw-------  1 root  wheel  687866 Jan 11 21:40 alert.1610357400
-rw-r--r--  1 root  wheel  282150 Jan  8 23:58 alert.1609890932
-rw-------  1 root  wheel  842750 Jan  5 17:55 alert.1609676100

The active alert log is empty. Snort has been rotating the logs, but it appears that for some reason it is continuing to log alerts into the last rotated file (alert.1611018900) instead of the alert log file used by the gui. Viewing the last rotated log file verifies this.

Am I looking that this the right way or maybe missing something?

John

bmeeks

@serbus said in Snort alert logging:

Hello!

Running 2.4.5-RELEASE-p1 with snort 4.1.2_3
Snort auto log management is enabled
The alert log thresholds are set to 500kb and 14 days

I have a wan interface that generates a good number of alerts. Sometimes, when I go to view the alerts for that interface, the list is empty, which seems odd.

When I look at the /var/log/snort/snort_igb0xxxx directory I see :

-rw-------  1 root  wheel  702536 Jan 19 14:55 alert.1611018900
-rw-r--r--  1 root  wheel       0 Jan 18 19:15 alert
-rw-r--r--  1 root  wheel  511900 Jan 16 21:16 alert.1610853438
-rw-------  1 root  wheel  687866 Jan 11 21:40 alert.1610357400
-rw-r--r--  1 root  wheel  282150 Jan  8 23:58 alert.1609890932
-rw-------  1 root  wheel  842750 Jan  5 17:55 alert.1609676100

The active alert log is empty. Snort has been rotating the logs, but it appears that for some reason it is continuing to log alerts into the last rotated file (alert.1611018900) instead of the alert log file used by the gui. Viewing the last rotated log file verifies this.

Am I looking that this the right way or maybe missing something?

John

The log rotation logic is supposed to send Snort a soft restart command so that it resyncs the logs. Apparently that is not happening in your case. I have not seen this on my box, but it may be for two reasons. I have a low incidence of alerts on my home network, and the rules update job usually restarts Snort several times a week as the rules update. That will cause the log file resync.

Looking at the code I see a potential "miss" with sending that log resync soft restart command. I will fix that in an upcoming release of Snort. In the meantime, stop and restart Snort on your interface (or interfaces) and that will reset the "active" alert log so that alerts showing on the ALERTS tab. The GUI code only parses the alert file when populating the ALERTS tab. It does not go into the rotated files. So with your zero-length file, the GUI code sees no alerts to display.

serbus

Hello!

Thanks for looking into this so quickly!

The manual restart did the job.

John