Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Snort output to syslog (not what I want)

    Scheduled Pinned Locked Moved IDS/IPS
    4 Posts 2 Posters 3.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • E
      esseebee
      last edited by

      Hello good friends,

      I decided to take the plunge and add the snort package to my Pfsense fw yesterday. So far, so good, except it's filling up my syslogs.  I unchecked the box in snort > interface > settings that says, "Snort will send Alerts to the firewall's system logs."  I've enabled snort on 2 interfaces (WAN and one VLAN which is our guest wireless).  Can you tell me how I can no longer have Snort output to the syslog?

      Jan 7 10:53:36 snort[46333]: [120:8:2] (http_inspect) INVALID CONTENT-LENGTH OR CHUNK SIZE [Classification: Unknown Traffic] [Priority: 3] {TCP} 203.206.140.182:14119 -> 74.217.148.113:80
      Jan 7 10:53:35 snort[46333]: [120:8:2] (http_inspect) INVALID CONTENT-LENGTH OR CHUNK SIZE [Classification: Unknown Traffic] [Priority: 3] {TCP} 203.206.140.182:7797 -> 74.217.148.113:80
      Jan 7 10:53:34 snort[46333]: [119:2:1] (http_inspect) DOUBLE DECODING ATTACK [Classification: Not Suspicious Traffic] [Priority: 3] {TCP} 203.206.140.182:7211 -> 66.235.139.17:80
      Jan 7 10:53:32 snort[46333]: [119:2:1] (http_inspect) DOUBLE DECODING ATTACK [Classification: Not Suspicious Traffic] [Priority: 3] {TCP} 203.206.140.182:10362 -> 103.245.222.81:80
      Jan 7 10:48:33 snort[31435]: [119:31:1] (http_inspect) UNKNOWN METHOD [Classification: Unknown Traffic] [Priority: 3] {TCP} 192.168.40.19:52471 -> 65.55.44.82:80
      Jan 7 10:48:31 snort[46333]: [119:4:1] (http_inspect) BARE BYTE UNICODE ENCODING [Classification: Not Suspicious Traffic] [Priority: 3] {TCP} 203.206.140.182:40061 -> 65.55.44.82:80
      Jan 7 10:48:30 snort[31435]: [119:4:1] (http_inspect) BARE BYTE UNICODE ENCODING [Classification: Not Suspicious Traffic] [Priority: 3] {TCP} 192.168.40.19:52471 -> 65.55.44.82:80

      Cheers

      1 Reply Last reply Reply Quote 0
      • E
        esseebee
        last edited by

        This has inexplicably corrected itself after a rules update at midnight.  Happy now.

        1 Reply Last reply Reply Quote 0
        • F
          fragged
          last edited by

          Most Snort related settings require a restart of the service to take place. This will happen at rules update if there's a new set of rules available.

          1 Reply Last reply Reply Quote 0
          • E
            esseebee
            last edited by

            Ah, very helpful.  Thank you, fragged.

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.