Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Snort alert logging

    IDS/IPS
    2
    3
    120
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      serbus last edited by

      Hello!

      Running 2.4.5-RELEASE-p1 with snort 4.1.2_3
      Snort auto log management is enabled
      The alert log thresholds are set to 500kb and 14 days

      I have a wan interface that generates a good number of alerts. Sometimes, when I go to view the alerts for that interface, the list is empty, which seems odd.

      When I look at the /var/log/snort/snort_igb0xxxx directory I see :

      -rw-------  1 root  wheel  702536 Jan 19 14:55 alert.1611018900
-rw-r--r--  1 root  wheel       0 Jan 18 19:15 alert
-rw-r--r--  1 root  wheel  511900 Jan 16 21:16 alert.1610853438
-rw-------  1 root  wheel  687866 Jan 11 21:40 alert.1610357400
-rw-r--r--  1 root  wheel  282150 Jan  8 23:58 alert.1609890932
-rw-------  1 root  wheel  842750 Jan  5 17:55 alert.1609676100

      The active alert log is empty. Snort has been rotating the logs, but it appears that for some reason it is continuing to log alerts into the last rotated file (alert.1611018900) instead of the alert log file used by the gui. Viewing the last rotated log file verifies this.

      Am I looking that this the right way or maybe missing something?

      John

      bmeeks 1 Reply Last reply Reply Quote 0
      • bmeeks
        bmeeks @serbus last edited by bmeeks

        @serbus said in Snort alert logging:

        Hello!

        Running 2.4.5-RELEASE-p1 with snort 4.1.2_3
        Snort auto log management is enabled
        The alert log thresholds are set to 500kb and 14 days

        I have a wan interface that generates a good number of alerts. Sometimes, when I go to view the alerts for that interface, the list is empty, which seems odd.

        When I look at the /var/log/snort/snort_igb0xxxx directory I see :

        -rw-------  1 root  wheel  702536 Jan 19 14:55 alert.1611018900
-rw-r--r--  1 root  wheel       0 Jan 18 19:15 alert
-rw-r--r--  1 root  wheel  511900 Jan 16 21:16 alert.1610853438
-rw-------  1 root  wheel  687866 Jan 11 21:40 alert.1610357400
-rw-r--r--  1 root  wheel  282150 Jan  8 23:58 alert.1609890932
-rw-------  1 root  wheel  842750 Jan  5 17:55 alert.1609676100

        The active alert log is empty. Snort has been rotating the logs, but it appears that for some reason it is continuing to log alerts into the last rotated file (alert.1611018900) instead of the alert log file used by the gui. Viewing the last rotated log file verifies this.

        Am I looking that this the right way or maybe missing something?

        John

        The log rotation logic is supposed to send Snort a soft restart command so that it resyncs the logs. Apparently that is not happening in your case. I have not seen this on my box, but it may be for two reasons. I have a low incidence of alerts on my home network, and the rules update job usually restarts Snort several times a week as the rules update. That will cause the log file resync.

        Looking at the code I see a potential "miss" with sending that log resync soft restart command. I will fix that in an upcoming release of Snort. In the meantime, stop and restart Snort on your interface (or interfaces) and that will reset the "active" alert log so that alerts showing on the ALERTS tab. The GUI code only parses the alert file when populating the ALERTS tab. It does not go into the rotated files. So with your zero-length file, the GUI code sees no alerts to display.

        1 Reply Last reply Reply Quote 0
        • S
          serbus last edited by

          Hello!

          Thanks for looking into this so quickly!

          The manual restart did the job.

          John

          1 Reply Last reply Reply Quote 0
          • First post
            Last post

          Products

          • Platform Overview
          • TNSR
          • pfSense
          • Appliances

          Services

          • Training
          • Professional Services

          Support

          • Subscription Plans
          • Contact Support
          • Product Lifecycle
          • Documentation

          News

          • Media Coverage
          • Press
          • Events

          Resources

          • Blog
          • FAQ
          • Find a Partner
          • Resource Library
          • Security Information

          Company

          • About Us
          • Careers
          • Partners
          • Contact Us
          • Legal
          Our Mission

          We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

          Subscribe to our Newsletter

          Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

          © 2021 Rubicon Communications, LLC | Privacy Policy