[prev in list] [next in list] [prev in thread] [next in thread]
List: snort-users
Subject: Re: [Snort-users] Snort+ and logging
From: Russ via Snort-users <snort-users () lists ! snort ! org>
Date: 2018-09-21 14:48:55
Message-ID: cc01d62f-30db-c1cd-6bb1-a4f80024f69d () cisco ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
On 9/20/18 4:55 PM, Meridoff via Snort-users wrote:
>
>
> чт, 20 сент. 2018 г. в 19:48, Andy Swartzbaugh
> <andy.swartzbaugh@gmail.com <mailto:andy.swartzbaugh@gmail.com>>:
>
> 1) My understanding is that Barnyard was a remedy to cope with
> Snort2's single-processor (i.e., not multi-processing) design and
> that Snort3 should be able to handle logging without needing
> another process to handle the logging.
>
>
> It is true. But Barny2 is able to send alerts to BD or remote syslog -
> it is usefull..Snort3 now doesn't support it
Snort 3 can integrate with Barnyard 2 with this configuration:
bool unified2.legacy_events = false: generate Snort 2.X style
events for barnyard2 compatibility
The problem is that Snort 3 generates more and different data than BY2
can process. An alternative is to use JSON and elastic stack or
splunk. See e.g.
https://blog.snort.org/2017/11/snort-30-with-elasticsearch-logstash.html.
>
> 2) from
> www.snort.org/downloads/snortplus/snort_manual.html#_sniffing_and_logging
> <http://www.snort.org/downloads/snortplus/snort_manual.html#_sniffing_and_logging>
> :
>
> snort --pcap-dir /path/to/pcap/dir --pcap-filter '*.pcap' -L dump
> -l /path/to/log/dir
>
> from
> www.snort.org/downloads/snortplus/snort_manual.html#_alert_syslog
> <http://www.snort.org/downloads/snortplus/snort_manual.html#_alert_syslog>
> :
>
> This must be done in snort.lua as opposed to the command line:
>
> alert_syslog =
> {
> facility = local3,
> level = info,
>
> }
>
Just to clarify, facility and level are strings so level = 'info' etc.
(enums take string values):
$ snort --help-config alert_syslog
enum alert_syslog.facility = auth: part of priority applied to each
message { auth | authpriv | daemon | user | local0 | local1 | local2 |
local3 | local4 | local5 | local6 | local7 }
enum alert_syslog.level = info: part of priority applied to each message
{ emerg | alert | crit | err | warning | notice | info | debug }
multi alert_syslog.options: used to open the syslog connection { cons |
ndelay | perror | pid }
>
> It is true for alerts. But I've asked about snort process (daemon) log
> . Nevertheless - thank you for info, it is usefull.
>
> If you wanted to send the logs to another server, that would be
> handled within rsyslogd (I use Ubuntu). Create a file named
> "/etc/rsyslog.d/10-snort.conf" : (the lower the number, the higher
> the priority) :
>
> and put the following line in it:
>
> local3.* @loghost
>
>
>
>
>
> On Thu, Sep 20, 2018 at 8:52 AM Meridoff via Snort-users
> <snort-users@lists.snort.org <mailto:snort-users@lists.snort.org>>
> wrote:
>
> Hello, I've heared that barnyard2 is out of date for snort3.
> Though it can be used .
>
> 1. What are the alternative (to barnyard2) ways for logging
> snort3 alerts to remote data-bases or remote syslog etc ? May
> be it will be included in snort3 project in future?
>
> 2.Small question - snort3 itself writes its own log to syslog
> (-M option). What are the ways to specifiy internal daemon
> logging methods : to file or syslog LEVEL ot smth orher ? I
> found nothing concering this in config
>
> Thanks for response
> _______________________________________________
> Snort-users mailing list
> Snort-users@lists.snort.org <mailto:Snort-users@lists.snort.org>
> Go to this URL to change user options or unsubscribe:
> https://lists.snort.org/mailman/listinfo/snort-users
>
> To unsubscribe, send an email to:
> snort-users-leave@lists.snort.org
> <mailto:snort-users-leave@lists.snort.org>
>
> Please visit http://blog.snort.org to stay current on all the
> latest Snort news!
>
> Please follow these rules:
> https://snort.org/faq/what-is-the-mailing-list-etiquette
>
>
>
> _______________________________________________
> Snort-users mailing list
> Snort-users@lists.snort.org
> Go to this URL to change user options or unsubscribe:
> https://lists.snort.org/mailman/listinfo/snort-users
>
> To unsubscribe, send an email to:
> snort-users-leave@lists.snort.org
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!
>
> Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette
[Attachment #5 (text/html)]
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<br>
<br>
<div class="moz-cite-prefix">On 9/20/18 4:55 PM, Meridoff via
Snort-users wrote:<br>
</div>
<blockquote type="cite"
cite="mid:CAFfuDwx9B=tcUUbDe2-7rNTjV8T1eHKxHji+CQ27_6GVmJGRxQ@mail.gmail.com">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<div dir="ltr"><br>
<br>
<div class="gmail_quote">
<div dir="ltr">чт, 20 сент. 2018 г. в 19:48, Andy Swartzbaugh
<<a href="mailto:andy.swartzbaugh@gmail.com"
moz-do-not-send="true">andy.swartzbaugh@gmail.com</a>>:<br>
</div>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr">
<div dir="ltr">1) My understanding is that Barnyard was a
remedy to cope with Snort2's single-processor (i.e., not
multi-processing) design and that Snort3 should be able
to handle logging without needing another process to
handle the logging. <br>
<br>
</div>
</div>
</blockquote>
<div><br>
</div>
<div>It is true. But Barny2 is able to send alerts to BD or
remote syslog - it is usefull..Snort3 now doesn't support it<br>
</div>
</div>
</div>
</blockquote>
Snort 3 can integrate with Barnyard 2 with this configuration:<br>
<br>
bool unified2.legacy_events = false: generate Snort 2.X style
events for barnyard2 compatibility<br>
<br>
The problem is that Snort 3 generates more and different data than
BY2 can process. An alternative is to use JSON and elastic stack or
splunk. See e.g.
<a class="moz-txt-link-freetext" \
href="https://blog.snort.org/2017/11/snort-30-with-elasticsearch-logstash.html">https://blog.snort.org/2017/11/snort-30-with-elasticsearch-logstash.html</a>.<br>
<blockquote type="cite"
cite="mid:CAFfuDwx9B=tcUUbDe2-7rNTjV8T1eHKxHji+CQ27_6GVmJGRxQ@mail.gmail.com">
<div dir="ltr">
<div class="gmail_quote">
<div><br>
</div>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr">
<div dir="ltr">2) from <a
href="http://www.snort.org/downloads/snortplus/snort_manual.html#_sniffing_and_logging"
target="_blank" \
moz-do-not-send="true">www.snort.org/downloads/snortplus/snort_manual.html#_sniffing_and_logging</a>
:<br>
<br>
snort --pcap-dir /path/to/pcap/dir --pcap-filter
'*.pcap' -L dump -l /path/to/log/dir<br>
<br>
from <a
href="http://www.snort.org/downloads/snortplus/snort_manual.html#_alert_syslog"
target="_blank" \
moz-do-not-send="true">www.snort.org/downloads/snortplus/snort_manual.html#_alert_syslog</a>
:<br>
<br>
This must be done in snort.lua as opposed to the command
line:<br>
<br>
alert_syslog = <br>
{<br>
facility = local3,<br>
level = info,<br>
<br>
}<br>
</div>
</div>
</blockquote>
</div>
</div>
</blockquote>
Just to clarify, facility and level are strings so level = 'info'
etc. (enums take string values):<br>
<br>
$ snort --help-config alert_syslog<br>
enum alert_syslog.facility = auth: part of priority applied to each
message { auth | authpriv | daemon | user | local0 | local1 | local2
| local3 | local4 | local5 | local6 | local7 }<br>
enum alert_syslog.level = info: part of priority applied to each
message { emerg | alert | crit | err | warning | notice | info |
debug }<br>
multi alert_syslog.options: used to open the syslog connection {
cons | ndelay | perror | pid }<br>
<br>
<blockquote type="cite"
cite="mid:CAFfuDwx9B=tcUUbDe2-7rNTjV8T1eHKxHji+CQ27_6GVmJGRxQ@mail.gmail.com">
<div dir="ltr">
<div class="gmail_quote">
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr">
<div dir="ltr"><br>
</div>
</div>
</blockquote>
<div>It is true for alerts. But I've asked about snort process
(daemon) log . Nevertheless - thank you for info, it is
usefull.<br>
</div>
<div> </div>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr">
<div dir="ltr">If you wanted to send the logs to another
server, that would be handled within rsyslogd (I use
Ubuntu). Create a file named
"/etc/rsyslog.d/10-snort.conf" : (the lower the number,
the higher the priority) :<br>
<br>
</div>
<div>and put the following line in it:<br>
</div>
<div dir="ltr"><br>
local3.* @loghost<br>
<br>
<br>
<br>
<br>
</div>
</div>
<br>
<div class="gmail_quote">
<div dir="ltr">On Thu, Sep 20, 2018 at 8:52 AM Meridoff
via Snort-users <<a
href="mailto:snort-users@lists.snort.org"
target="_blank" \
moz-do-not-send="true">snort-users@lists.snort.org</a>> wrote:<br>
</div>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr">Hello, I've heared that barnyard2 is out
of date for snort3.
<div>Though it can be used .</div>
<div><br>
</div>
<div>1. What are the alternative (to barnyard2) ways
for logging snort3 alerts to remote data-bases or
remote syslog etc ? May be it will be included in
snort3 project in future?</div>
<div><br>
</div>
<div>2.Small question - snort3 itself writes its own
log to syslog (-M option). What are the ways to
specifiy internal daemon logging methods : to file
or syslog LEVEL ot smth orher ? I found nothing
concering this in config </div>
<div><br>
</div>
<div>Thanks for response</div>
</div>
_______________________________________________<br>
Snort-users mailing list<br>
<a href="mailto:Snort-users@lists.snort.org"
target="_blank" \
moz-do-not-send="true">Snort-users@lists.snort.org</a><br> Go to this URL to change \
user options or unsubscribe:<br> <a
href="https://lists.snort.org/mailman/listinfo/snort-users"
rel="noreferrer" target="_blank"
moz-do-not-send="true">https://lists.snort.org/mailman/listinfo/snort-users</a><br>
<br>
To unsubscribe, send an email to:<br>
<a
href="mailto:snort-users-leave@lists.snort.org"
target="_blank" \
moz-do-not-send="true">snort-users-leave@lists.snort.org</a><br> <br>
Please visit <a href="http://blog.snort.org"
rel="noreferrer" target="_blank"
moz-do-not-send="true">http://blog.snort.org</a> to
stay current on all the latest Snort news!<br>
<br>
Please follow these rules: <a
href="https://snort.org/faq/what-is-the-mailing-list-etiquette"
rel="noreferrer" target="_blank"
moz-do-not-send="true">https://snort.org/faq/what-is-the-mailing-list-etiquette</a><br>
</blockquote>
</div>
</blockquote>
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Snort-users mailing list
<a class="moz-txt-link-abbreviated" \
href="mailto:Snort-users@lists.snort.org">Snort-users@lists.snort.org</a> Go to this \
URL to change user options or unsubscribe: <a class="moz-txt-link-freetext" \
href="https://lists.snort.org/mailman/listinfo/snort-users">https://lists.snort.org/mailman/listinfo/snort-users</a>
To unsubscribe, send an email to:
<a class="moz-txt-link-abbreviated" \
href="mailto:snort-users-leave@lists.snort.org">snort-users-leave@lists.snort.org</a>
Please visit <a class="moz-txt-link-freetext" \
href="http://blog.snort.org">http://blog.snort.org</a> to stay current on all the \
latest Snort news!
Please follow these rules: <a class="moz-txt-link-freetext" \
href="https://snort.org/faq/what-is-the-mailing-list-etiquette">https://snort.org/faq/what-is-the-mailing-list-etiquette</a>
</pre>
</blockquote>
<br>
</body>
</html>
_______________________________________________
Snort-users mailing list
Snort-users@lists.snort.org
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users
To unsubscribe, send an email to:
snort-users-leave@lists.snort.org
Please visit http://blog.snort.org to stay current on all the latest Snort news!
Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic