Re: Snort/Banyard2 Logging

[beenph <beenph () gmail com>]

On Tue, Jul 17, 2012 at 2:33 PM, Eric Luellen <eluellen () perimeterusa com> wrote:
> Thank you very much for that information. I was able to get that installed and I got some additional information in 
> my logs than I was able to before. Below is the output I got from going Unified2 Snort --> Barnyard with "output 
> log_syslog_full: sensor_name snort-sensor, local, operation_mode complete" in my barnyard2.conf.
>
> Jul 16 11:03:05 localhost barnyard2: | [SNORTIDS[ALERT]: [snort-test-sensor] } || 2012-07-16 15:02:50.594 0 Snort 
> Alert [1:10000003:0] || [Unknown Classification] || 6 192.168.56.1 192.168.56.101 || 53389 80 || #012 |
>
> Jul 16 11:03:05 localhost barnyard2: | [SNORTIDS[LOG]: [snort-test-sensor] ] || 2012-07-16 15:02:50.594 0 Snort Alert 
> [1:10000003:0] || [Unknown Classification] || 6 3232249857 3232249957 5 0 0 40 7282 2 0 60582 0 || 53389 80 
> 1139115519 1675916956 5 0 16 16425 2225 0 || 60 
> 08002748F9EC08002700A4B60800450000281C7240008006ECA6C0A83801C0A83865D08D005043E585FF63E4769C5010402908B10000000000000000
>  || #012 |
>
> However it's still not the output I'm looking for. I started playing with the Snort options a little more and found 
> my ideal output with this command:
>  - snort -de -U -X -A full -c /etc/snort/snort.conf -i eth2 -K ascii &
>
> [**] Telnet Traffic" [**]
> 07/17-18:14:44.475770 1C:C1:DE:91:F3:4C -> 00:16:47:A2:B3:43 type:0x800 len:0x42
> 10.45.9.77:56667 -> 98.139.183.24:23 TCP TTL:128 TOS:0x0 ID:25276 IpLen:20 DgmLen:52 DF
> ******S* Seq: 0x5E65BBAE  Ack: 0x0  Win: 0x2000  TcpLen: 32
> TCP Options (6) => MSS: 1460 NOP WS: 8 NOP NOP SackOK
> 0x0000: 00 16 47 A2 B3 43 1C C1 DE 91 F3 4C 08 00 45 00  ..G..C.....L..E.
> 0x0010: 00 34 62 BC 40 00 80 06 6A EA 0A 2D 09 4D 62 8B  .4b. ()    j  - Mb.
> 0x0020: B7 18 DD 5B 00 17 5E 65 BB AE 00 00 00 00 80 02  ...[..^e........
> 0x0030: 20 00 2A 6C 00 00 02 04 05 B4 01 03 03 08 01 01   .*l............
> 0x0040: 04 02
>
> The problem with this is when I tell it to output ascii, it splits the information up per IP and puts them into 
> separate folders. I would like that information but with it in syslog. Please let me know if I'm overlooking 
> something obvious or if you all recommend other options/flags for more detailed logging information on alerts.
Greetings Eric,

Well if you take the same event that is outputed in alert mode and
send it to unified2 to be processed by barnyard2 that output
log_syslog_full, you might notice that you will
get information that is close to what alert mode gave you.

If you have more questions on how it works, join the barnyard2-users
mailing list, Else mabey someone has already made some script/code to
take snort alert mode and output it in syslog for example.

-elz

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!