[prev in list] [next in list] [prev in thread] [next in thread]
List: snort-users
Subject: Re: [Snort-users] Snort 3 logging when in daemon mode
From: Y M via Snort-users <snort-users () lists ! snort ! org>
Date: 2020-03-27 17:03:30
Message-ID: MN2PR17MB30382FAABEE4C29B5459C304A8CC0 () MN2PR17MB3038 ! namprd17 ! prod ! outlook ! com
[Download RAW message or body]
The behavior appears to be the same with build 270.
YM
________________________________
From: Snort-users <snort-users-bounces@lists.snort.org> on behalf of Y M via \
Snort-users <snort-users@lists.snort.org>
Sent: Monday, March 16, 2020 8:04 PM
To: snort-users <snort-users@lists.snort.org>
Subject: [Snort-users] Snort 3 logging when in daemon mode
Hello,
I noticed that unlike Snort 3 alert logs, appid, file, and perf_mon logs are not \
written immediately or within the (default) configured period when Snort is running \
in daemon mode. They are only written to their respective files when Snort process is \
restarted or stopped. At first, I thought this was a permission issue to Snort's \
logging directory, but that's not the case. Another thought was that systemd is not \
playing nicely when running Snort as a service. That was also not the case as running \
Snort in daemon mode directly exhibits the same behavior.
Another observation is that even though the alerts are written to the log \
immediately, additional log data is written when Snort is stopped or restarted . This \
occurs even after tcpreplay finished replaying the PCAP and its process ceased.
For example, after running Snort for more than 10 minutes, you can see that appid, \
file and perf_mon logs are empty while alert logs are increasing in size. Only after \
Snort process is restarted the logs from the previous PCAP run (single PCAP via \
tcpreplay) are written to the logs.
# systemctl status snort.service
● snort.service - Snort 3 Intrusion Detection and Prevention service
Loaded: loaded (/etc/systemd/system/snort.service; enabled; vendor preset: \
disabled) Active: active (running) since Mon 2020-03-16 19:30:57 +03; 11min ago
Process: 2680 ExecReload=/bin/kill -SIGHUP $MAINPID (code=exited, status=0/SUCCESS)
# ls -l /var/log/snort/
total 44
-rw-------. 1 snort snort 42119 Mar 16 19:36 alert_json.txt
-rw-------. 1 snort snort 0 Mar 16 19:35 appid_stats.log
-rw-------. 1 snort snort 0 Mar 16 19:31 file.log
-rw-r--r--. 1 snort snort 0 Mar 16 19:31 perf_monitor_base.json
-rw-r--r--. 1 snort snort 0 Mar 16 19:31 perf_monitor_flow.json
# systemctl restart snort.service
# systemctl status snort.service
● snort.service - Snort 3 Intrusion Detection and Prevention service
Loaded: loaded (/etc/systemd/system/snort.service; enabled; vendor preset: \
disabled) Active: active (running) since Mon 2020-03-16 19:44:08 +03; 2s ago
Process: 2680 ExecReload=/bin/kill -SIGHUP $MAINPID (code=exited, status=0/SUCCESS)
Main PID: 4495 (snort)
# ls -l /var/log/snort/
total 60
-rw-------. 1 snort snort 42594 Mar 16 19:44 alert_json.txt
-rw-------. 1 snort snort 435 Mar 16 19:44 appid_stats.log
-rw-------. 1 snort snort 1010 Mar 16 19:44 file.log
-rw-r--r--. 1 snort snort 3 Mar 16 19:44 perf_monitor_base.json
-rw-r--r--. 1 snort snort 3 Mar 16 19:44 perf_monitor_flow.json
Command used to run Snort (command line and systemd unit):
snort -c snort.lua -i iface -l /var/log/snort -D -u snort -g snort -k none
I can provide snort.lua if needed. Thank you.
YM
[Attachment #3 (text/html)]
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-2022-jp">
<style type="text/css" style="display:none;"> P {margin-top:0;margin-bottom:0;} \
</style> </head>
<body dir="ltr">
<div style="font-family: Calibri, Helvetica, sans-serif; font-size: 12pt; color: \
rgb(0, 0, 0);"> <span style="font-size: 11pt;">The behavior appears to be the same \
with build 270.</span></div> <div style="font-family: Calibri, Helvetica, sans-serif; \
font-size: 12pt; color: rgb(0, 0, 0);"> <br>
</div>
<div style="font-family: Calibri, Helvetica, sans-serif; font-size: 12pt; color: \
rgb(0, 0, 0);"> <span style="font-size: 11pt;">YM</span></div>
<div id="appendonsend"></div>
<hr style="display:inline-block;width:98%" tabindex="-1">
<div id="divRplyFwdMsg" dir="ltr"><font face="Calibri, sans-serif" \
style="font-size:11pt" color="#000000"><b>From:</b> Snort-users \
<snort-users-bounces@lists.snort.org> on behalf of Y M via Snort-users \
<snort-users@lists.snort.org><br> <b>Sent:</b> Monday, March 16, 2020 8:04 \
PM<br> <b>To:</b> snort-users <snort-users@lists.snort.org><br>
<b>Subject:</b> [Snort-users] Snort 3 logging when in daemon mode</font>
<div> </div>
</div>
<style type="text/css" style="display:none">
<!--
p
{margin-top:0;
margin-bottom:0}
-->
</style>
<div dir="ltr">
<div style="font-family:Calibri,Helvetica,sans-serif; font-size:12pt; \
color:rgb(0,0,0)"> <span style="font-size:11pt">Hello,</span></div>
<div style="font-family:Calibri,Helvetica,sans-serif; font-size:12pt; \
color:rgb(0,0,0)"> <br>
</div>
<div style="font-family:Calibri,Helvetica,sans-serif; font-size:12pt; \
color:rgb(0,0,0)"> <span style="font-size:11pt">I noticed that unlike Snort 3 alert \
logs, appid, file, and perf_mon logs are not written immediately </span><span \
style="font-family:Calibri,Helvetica,sans-serif; background-color:rgb(255,255,255); \
display:inline!important; font-size:11pt">or within the (default) configured period \
when Snort is running in daemon mode. They are only written to their respective files \
when Snort process is restarted or stopped. At first, I thought this was a permission \
issue to Snort's logging directory, but that's not the case. Another thought was \
that systemd is not playing nicely when running Snort as a service. That was also not \
the case as running Snort in daemon mode directly exhibits the same \
behavior.</span></div> <div style="font-family:Calibri,Helvetica,sans-serif; \
font-size:12pt; color:rgb(0,0,0)"> <span \
style="font-family:Calibri,Helvetica,sans-serif; background-color:rgb(255,255,255); \
display:inline!important; font-size:11pt"><br> </span></div>
<div style="font-family:Calibri,Helvetica,sans-serif; font-size:12pt; \
color:rgb(0,0,0)"> <span style="font-family:Calibri,Helvetica,sans-serif; \
background-color:rgb(255,255,255); display:inline!important; font-size:11pt">Another \
observation is that even though the alerts are written to the log immediately, \
additional log data is written <span style="font-family:Calibri,Helvetica,sans-serif; \
background-color:rgb(255,255,255); display:inline!important"> when Snort is stopped \
or restarted<span> </span></span>. This occurs even after tcpreplay finished \
replaying the PCAP and its process ceased.</span></div> <div \
style="font-family:Calibri,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)"> \
<span style="font-family:Calibri,Helvetica,sans-serif; \
background-color:rgb(255,255,255); display:inline!important"><br> </span></div>
<div style="font-family:Calibri,Helvetica,sans-serif; font-size:12pt; \
color:rgb(0,0,0)"> <span style="font-family:Calibri,Helvetica,sans-serif; \
background-color:rgb(255,255,255); display:inline!important; font-size:11pt">For \
example, after running Snort for more than 10 minutes, you can see that appid, file \
and perf_mon logs are empty while alert logs are increasing in size. Only after \
Snort process is restarted the logs from the previous PCAP run (single PCAP via \
tcpreplay) are written to the logs.</span></div> <div \
style="font-family:Calibri,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)"> \
<span style="font-family:Calibri,Helvetica,sans-serif; \
background-color:rgb(255,255,255); display:inline!important"><br> </span></div>
<div style="font-family:Calibri,Helvetica,sans-serif; font-size:12pt; \
color:rgb(0,0,0)"> <span></span><span style="font-size:10pt; \
font-family:Consolas,Courier,monospace"># systemctl status \
snort.service</span><span><br> </span>
<div><span style="font-size:10pt; font-family:Consolas,Courier,monospace">● \
snort.service - Snort 3 Intrusion Detection and Prevention service</span><br> </div>
<div><span style="font-size:10pt; font-family:Consolas,Courier,monospace"> \
Loaded: loaded (/etc/systemd/system/snort.service; enabled; vendor preset: \
disabled)</span><br> </div>
<div><span style="font-size:10pt; font-family:Consolas,Courier,monospace"> \
Active: active (running) since Mon 2020-03-16 19:30:57 +03; 11min \
ago</span><br> </div>
<span style="font-size:10pt; font-family:Consolas,Courier,monospace"> Process: \
2680 ExecReload=/bin/kill -SIGHUP $MAINPID (code=exited, \
status=0/SUCCESS)</span><span></span><br> </div>
<div style="font-family:Calibri,Helvetica,sans-serif; font-size:12pt; \
color:rgb(0,0,0)"> <br>
</div>
<div style="font-family:Calibri,Helvetica,sans-serif; font-size:12pt; \
color:rgb(0,0,0)"> <span style="font-size:10pt; \
font-family:Consolas,Courier,monospace"># ls -l /var/log/snort/</span><span><br> \
</span> <div><span style="font-size:10pt; \
font-family:Consolas,Courier,monospace">total 44</span><br> </div>
<div><span style="font-size:10pt; font-family:Consolas,Courier,monospace">-rw-------. \
1 snort snort 42119 Mar 16 19:36 alert_json.txt</span><br> </div>
<div><span style="font-size:10pt; font-family:Consolas,Courier,monospace">-rw-------. \
1 snort snort 0 Mar 16 19:35 appid_stats.log</span><br> </div>
<div><span style="font-size:10pt; font-family:Consolas,Courier,monospace">-rw-------. \
1 snort snort 0 Mar 16 19:31 file.log</span><br> </div>
<div><span style="font-size:10pt; font-family:Consolas,Courier,monospace">-rw-r--r--. \
1 snort snort 0 Mar 16 19:31 perf_monitor_base.json</span><br> </div>
<span style="font-size:10pt; font-family:Consolas,Courier,monospace">-rw-r--r--. 1 \
snort snort 0 Mar 16 19:31 perf_monitor_flow.json</span><br> </div>
<div style="font-family:Calibri,Helvetica,sans-serif; font-size:12pt; \
color:rgb(0,0,0)"> <span><br>
</span></div>
<div style="font-family:Calibri,Helvetica,sans-serif; font-size:12pt; \
color:rgb(0,0,0)"> <span style="font-size:10pt; \
font-family:Consolas,Courier,monospace"># systemctl restart snort.service<br> \
</span></div> <div style="font-family:Calibri,Helvetica,sans-serif; font-size:12pt; \
color:rgb(0,0,0)"> <span style="font-size:10pt; \
font-family:Consolas,Courier,monospace"># systemctl status snort.service</span><br> \
</div> <div style="font-family:Calibri,Helvetica,sans-serif; font-size:12pt; \
color:rgb(0,0,0)"> <span>
<div><span style="font-size:10pt; font-family:Consolas,Courier,monospace">● \
snort.service - Snort 3 Intrusion Detection and Prevention service</span><br> </div>
<div><span style="font-size:10pt; font-family:Consolas,Courier,monospace"> \
Loaded: loaded (/etc/systemd/system/snort.service; enabled; vendor preset: \
disabled)</span><br> </div>
<div><span style="font-size:10pt; font-family:Consolas,Courier,monospace"> \
Active: active (running) since Mon 2020-03-16 19:44:08 +03; 2s \
ago</span><br> </div>
<div><span style="font-size:10pt; font-family:Consolas,Courier,monospace"> \
Process: 2680 ExecReload=/bin/kill -SIGHUP $MAINPID (code=exited, \
status=0/SUCCESS)</span><br> </div>
<span style="font-size:10pt; font-family:Consolas,Courier,monospace"> Main PID: \
4495 (snort)</span><br> </span></div>
<div style="font-family:Calibri,Helvetica,sans-serif; font-size:12pt; \
color:rgb(0,0,0)"> <span><span><br>
</span></span></div>
<div style="font-family:Calibri,Helvetica,sans-serif; font-size:12pt; \
color:rgb(0,0,0)"> <span><span><span style="font-size:10pt; \
font-family:Consolas,Courier,monospace"># ls -l /var/log/snort/</span><span><br> \
</span> <div><span style="font-size:10pt; \
font-family:Consolas,Courier,monospace">total 60</span><br> </div>
<div><span style="font-size:10pt; font-family:Consolas,Courier,monospace">-rw-------. \
1 snort snort 42594 Mar 16 19:44 alert_json.txt</span><br> </div>
<div><span style="font-size:10pt; font-family:Consolas,Courier,monospace">-rw-------. \
1 snort snort 435 Mar 16 19:44 appid_stats.log</span><br> </div>
<div><span style="font-size:10pt; font-family:Consolas,Courier,monospace">-rw-------. \
1 snort snort 1010 Mar 16 19:44 file.log</span><br> </div>
<div><span style="font-size:10pt; font-family:Consolas,Courier,monospace">-rw-r--r--. \
1 snort snort 3 Mar 16 19:44 perf_monitor_base.json</span><br> </div>
<span style="font-size:10pt; font-family:Consolas,Courier,monospace">-rw-r--r--. 1 \
snort snort 3 Mar 16 19:44 perf_monitor_flow.json</span><br> \
</span></span></div> <div style="font-family:Calibri,Helvetica,sans-serif; \
font-size:12pt; color:rgb(0,0,0)"> <span><span><span><br>
</span></span></span></div>
<div style="font-family:Calibri,Helvetica,sans-serif; font-size:12pt; \
color:rgb(0,0,0)"> <span><span><span style="font-size:11pt">Command used to run Snort \
(command line and systemd unit):</span></span></span></div> <div \
style="font-family:Calibri,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)"> \
<span><span><span><br> </span></span></span></div>
<div style="font-family:Calibri,Helvetica,sans-serif; font-size:12pt; \
color:rgb(0,0,0)"> <span><span><span style="font-size:10pt; \
font-family:Consolas,Courier,monospace">snort -c snort.lua -i iface -l /var/log/snort \
-D -u snort -g snort -k none</span><span><br> </span></span></span></div>
<div style="font-family:Calibri,Helvetica,sans-serif; font-size:12pt; \
color:rgb(0,0,0)"> <span><span><span><br>
</span></span></span></div>
<div style="font-family:Calibri,Helvetica,sans-serif; font-size:12pt; \
color:rgb(0,0,0)"> <span><span><span style="font-size:11pt">I can provide snort.lua \
if needed. <span id="x_SmartSuggestionsKeyword400376" title="Search for \
suggestions" class="x__1aFK1bl8nu9HzQ8EPIECQr">Thank you.</span></span></span></div> \
<div style="font-family:Calibri,Helvetica,sans-serif; font-size:12pt; \
color:rgb(0,0,0)"> <span><span><span \
style="font-size:11pt">YM</span></span></span></div> </span></div>
</body>
</html>
_______________________________________________
Snort-users mailing list
Snort-users@lists.snort.org
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users
To unsubscribe, send an email to:
snort-users-leave@lists.snort.org
Please visit http://blog.snort.org to stay current on all the latest Snort news!
Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette
--===============2258398209640687521==--
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic