Snort output to syslog (not what I want)
-
Hello good friends,
I decided to take the plunge and add the snort package to my Pfsense fw yesterday. So far, so good, except it's filling up my syslogs. I unchecked the box in snort > interface > settings that says, "Snort will send Alerts to the firewall's system logs." I've enabled snort on 2 interfaces (WAN and one VLAN which is our guest wireless). Can you tell me how I can no longer have Snort output to the syslog?
Jan 7 10:53:36 snort[46333]: [120:8:2] (http_inspect) INVALID CONTENT-LENGTH OR CHUNK SIZE [Classification: Unknown Traffic] [Priority: 3] {TCP} 203.206.140.182:14119 -> 74.217.148.113:80
Jan 7 10:53:35 snort[46333]: [120:8:2] (http_inspect) INVALID CONTENT-LENGTH OR CHUNK SIZE [Classification: Unknown Traffic] [Priority: 3] {TCP} 203.206.140.182:7797 -> 74.217.148.113:80
Jan 7 10:53:34 snort[46333]: [119:2:1] (http_inspect) DOUBLE DECODING ATTACK [Classification: Not Suspicious Traffic] [Priority: 3] {TCP} 203.206.140.182:7211 -> 66.235.139.17:80
Jan 7 10:53:32 snort[46333]: [119:2:1] (http_inspect) DOUBLE DECODING ATTACK [Classification: Not Suspicious Traffic] [Priority: 3] {TCP} 203.206.140.182:10362 -> 103.245.222.81:80
Jan 7 10:48:33 snort[31435]: [119:31:1] (http_inspect) UNKNOWN METHOD [Classification: Unknown Traffic] [Priority: 3] {TCP} 192.168.40.19:52471 -> 65.55.44.82:80
Jan 7 10:48:31 snort[46333]: [119:4:1] (http_inspect) BARE BYTE UNICODE ENCODING [Classification: Not Suspicious Traffic] [Priority: 3] {TCP} 203.206.140.182:40061 -> 65.55.44.82:80
Jan 7 10:48:30 snort[31435]: [119:4:1] (http_inspect) BARE BYTE UNICODE ENCODING [Classification: Not Suspicious Traffic] [Priority: 3] {TCP} 192.168.40.19:52471 -> 65.55.44.82:80Cheers
-
This has inexplicably corrected itself after a rules update at midnight. Happy now.
-
Most Snort related settings require a restart of the service to take place. This will happen at rules update if there's a new set of rules available.
-
Ah, very helpful. Thank you, fragged.