Snort mailing list archives
snort syslog and barnyard2
From: John Hally <JHally () EBSCO COM>
Date: Wed, 1 Oct 2014 18:00:33 +0000
Hi All, I’m trying to get snort and/or barnyard2 to send full alerts to a remote syslog server for analysis with thinks like splunk, etc. I think I may have found a bug in barnyard2, but I wanted to put it out to the list to see if anyone else is successful at this. I’m trying to send it to LOCAL3 so that I can parse off the logs into its own file in rsylog.conf. No matter what I try, I will only get ‘fast’ alert data in /var/log/messages on my rsyslog server (not the local3.* entry as expected). The "operation_mode complete” switch is supposed to set the alerts to full logging, but it doesn’t work remote or locally. In barnyard2 config: output alert_syslog_full: sensor_name snortSensor, server x.x.x.x, protocol udp, port 514, operation_mode complete, log_priority LOG_ALERT, log_facility LOG_LOCAL3 /etc/rsylog.conf entry: local3.* /var/log/snortsyslog/snort.log Output from messages after barnyard2 startup: Oct 1 12:46:50 sensor barnyard2: Barnyard2 spooler: Event cache size set to [2048] Oct 1 12:46:50 sensor barnyard2: Log directory = /var/log/snort Oct 1 12:46:50 sensor barnyard2: INFO database: Defaulting Reconnect/Transaction Error limit to 10 Oct 1 12:46:50 sensor barnyard2: INFO database: Defaulting Reconnect sleep time to 5 second Oct 1 12:46:50 sensor barnyard2: using operation_mode: complete Oct 1 12:46:50 sensor barnyard2: Using default delimiters for syslog messages "|" Oct 1 12:46:50 sensor barnyard2: Using default field separators for syslog messages " " Oct 1 12:46:50 sensor barnyard2: spo_syslog_full config: Oct 1 12:46:50 sensor barnyard2: #011Detail Level: Fast Oct 1 12:46:50 sensor barnyard2: #011Syslog Server: x.x.x.x:514 Oct 1 12:46:50 sensor barnyard2: #011Reporting Protocol: udp Oct 1 12:46:50 sensor barnyard2: Initializing daemon mode Oct 1 12:46:50 sensor barnyard2: Daemon parent exiting Oct 1 12:46:50 sensor barnyard2: Daemon initialized, signaled parent pid: 13339 Oct 1 12:46:50 sensor barnyard2: PID path stat checked out ok, PID path set to /var/run/ Oct 1 12:46:50 sensor barnyard2: Writing PID "13340" to file "/var/run//barnyard2_eth1.pid" Sample syslog entry: Oct 1 11:59:51 sensor | [SNORTIDS[ALERT]: [sensor-eth1] ] || 2014-10-01 11:59:54.967+-04 1 [1:1000022:1] LOCAL-RULE Possible login.aspx Brute Force Account Access || web-application-attack || 6 x.x.x.x y.y.y.y || 20175 80 || #012 | The output in unified2/mysql is the full payload and you can see the full HTTP POST. Am I missing something? Thanks in advance, John.
------------------------------------------------------------------------------ Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- snort syslog and barnyard2 John Hally (Oct 01)
- Re: snort syslog and barnyard2 Joel Esler (jesler) (Oct 01)
- Re: snort syslog and barnyard2 Shirkdog (Oct 01)
- Re: snort syslog and barnyard2 Joel Esler (jesler) (Oct 01)
- Re: snort syslog and barnyard2 John Hally (Oct 01)
- Re: snort syslog and barnyard2 Shirkdog (Oct 01)
- Re: snort syslog and barnyard2 Joel Esler (jesler) (Oct 01)