Snort output to syslog (not what I want)



  • Hello good friends,

    I decided to take the plunge and add the snort package to my Pfsense fw yesterday. So far, so good, except it's filling up my syslogs.  I unchecked the box in snort > interface > settings that says, "Snort will send Alerts to the firewall's system logs."  I've enabled snort on 2 interfaces (WAN and one VLAN which is our guest wireless).  Can you tell me how I can no longer have Snort output to the syslog?

    Jan 7 10:53:36 snort[46333]: [120:8:2] (http_inspect) INVALID CONTENT-LENGTH OR CHUNK SIZE [Classification: Unknown Traffic] [Priority: 3] {TCP} 203.206.140.182:14119 -> 74.217.148.113:80
    Jan 7 10:53:35 snort[46333]: [120:8:2] (http_inspect) INVALID CONTENT-LENGTH OR CHUNK SIZE [Classification: Unknown Traffic] [Priority: 3] {TCP} 203.206.140.182:7797 -> 74.217.148.113:80
    Jan 7 10:53:34 snort[46333]: [119:2:1] (http_inspect) DOUBLE DECODING ATTACK [Classification: Not Suspicious Traffic] [Priority: 3] {TCP} 203.206.140.182:7211 -> 66.235.139.17:80
    Jan 7 10:53:32 snort[46333]: [119:2:1] (http_inspect) DOUBLE DECODING ATTACK [Classification: Not Suspicious Traffic] [Priority: 3] {TCP} 203.206.140.182:10362 -> 103.245.222.81:80
    Jan 7 10:48:33 snort[31435]: [119:31:1] (http_inspect) UNKNOWN METHOD [Classification: Unknown Traffic] [Priority: 3] {TCP} 192.168.40.19:52471 -> 65.55.44.82:80
    Jan 7 10:48:31 snort[46333]: [119:4:1] (http_inspect) BARE BYTE UNICODE ENCODING [Classification: Not Suspicious Traffic] [Priority: 3] {TCP} 203.206.140.182:40061 -> 65.55.44.82:80
    Jan 7 10:48:30 snort[31435]: [119:4:1] (http_inspect) BARE BYTE UNICODE ENCODING [Classification: Not Suspicious Traffic] [Priority: 3] {TCP} 192.168.40.19:52471 -> 65.55.44.82:80

    Cheers



  • This has inexplicably corrected itself after a rules update at midnight.  Happy now.



  • Most Snort related settings require a restart of the service to take place. This will happen at rules update if there's a new set of rules available.



  • Ah, very helpful.  Thank you, fragged.


Log in to reply