Snort mailing list archives
Re: Snort/Banyard2 Logging
From: beenph <beenph () gmail com>
Date: Wed, 18 Jul 2012 02:09:02 -0400
On Tue, Jul 17, 2012 at 2:33 PM, Eric Luellen <eluellen () perimeterusa com> wrote:
Thank you very much for that information. I was able to get that installed and I got some additional information in my logs than I was able to before. Below is the output I got from going Unified2 Snort --> Barnyard with "output log_syslog_full: sensor_name snort-sensor, local, operation_mode complete" in my barnyard2.conf. Jul 16 11:03:05 localhost barnyard2: | [SNORTIDS[ALERT]: [snort-test-sensor] } || 2012-07-16 15:02:50.594 0 Snort Alert [1:10000003:0] || [Unknown Classification] || 6 192.168.56.1 192.168.56.101 || 53389 80 || #012 | Jul 16 11:03:05 localhost barnyard2: | [SNORTIDS[LOG]: [snort-test-sensor] ] || 2012-07-16 15:02:50.594 0 Snort Alert [1:10000003:0] || [Unknown Classification] || 6 3232249857 3232249957 5 0 0 40 7282 2 0 60582 0 || 53389 80 1139115519 1675916956 5 0 16 16425 2225 0 || 60 08002748F9EC08002700A4B60800450000281C7240008006ECA6C0A83801C0A83865D08D005043E585FF63E4769C5010402908B10000000000000000 || #012 | However it's still not the output I'm looking for. I started playing with the Snort options a little more and found my ideal output with this command: - snort -de -U -X -A full -c /etc/snort/snort.conf -i eth2 -K ascii & [**] Telnet Traffic" [**] 07/17-18:14:44.475770 1C:C1:DE:91:F3:4C -> 00:16:47:A2:B3:43 type:0x800 len:0x42 10.45.9.77:56667 -> 98.139.183.24:23 TCP TTL:128 TOS:0x0 ID:25276 IpLen:20 DgmLen:52 DF ******S* Seq: 0x5E65BBAE Ack: 0x0 Win: 0x2000 TcpLen: 32 TCP Options (6) => MSS: 1460 NOP WS: 8 NOP NOP SackOK 0x0000: 00 16 47 A2 B3 43 1C C1 DE 91 F3 4C 08 00 45 00 ..G..C.....L..E. 0x0010: 00 34 62 BC 40 00 80 06 6A EA 0A 2D 09 4D 62 8B .4b. () j - Mb. 0x0020: B7 18 DD 5B 00 17 5E 65 BB AE 00 00 00 00 80 02 ...[..^e........ 0x0030: 20 00 2A 6C 00 00 02 04 05 B4 01 03 03 08 01 01 .*l............ 0x0040: 04 02 The problem with this is when I tell it to output ascii, it splits the information up per IP and puts them into separate folders. I would like that information but with it in syslog. Please let me know if I'm overlooking something obvious or if you all recommend other options/flags for more detailed logging information on alerts.
Greetings Eric, Well if you take the same event that is outputed in alert mode and send it to unified2 to be processed by barnyard2 that output log_syslog_full, you might notice that you will get information that is close to what alert mode gave you. If you have more questions on how it works, join the barnyard2-users mailing list, Else mabey someone has already made some script/code to take snort alert mode and output it in syslog for example. -elz ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Snort/Banyard2 Logging Eric Luellen (Jul 13)
- Re: Snort/Banyard2 Logging beenph (Jul 13)
- Re: Snort/Banyard2 Logging Eric Luellen (Jul 17)
- Re: Snort/Banyard2 Logging beenph (Jul 17)
- Re: Snort/Banyard2 Logging Eric Luellen (Jul 17)
- Re: Snort/Banyard2 Logging beenph (Jul 13)