Snort mailing list archives
Re: Snort+ and logging
From: Russ via Snort-users <snort-users () lists snort org>
Date: Fri, 21 Sep 2018 10:48:55 -0400
On 9/20/18 4:55 PM, Meridoff via Snort-users wrote:
чт, 20 сент. 2018 г. в 19:48, Andy Swartzbaugh <andy.swartzbaugh () gmail com <mailto:andy.swartzbaugh () gmail com>>:1) My understanding is that Barnyard was a remedy to cope with Snort2's single-processor (i.e., not multi-processing) design and that Snort3 should be able to handle logging without needing another process to handle the logging.It is true. But Barny2 is able to send alerts to BD or remote syslog - it is usefull..Snort3 now doesn't support it
Snort 3 can integrate with Barnyard 2 with this configuration:bool unified2.legacy_events = false: generate Snort 2.X style events for barnyard2 compatibility
The problem is that Snort 3 generates more and different data than BY2 can process. An alternative is to use JSON and elastic stack or splunk. See e.g. https://blog.snort.org/2017/11/snort-30-with-elasticsearch-logstash.html.
2) from
www.snort.org/downloads/snortplus/snort_manual.html#_sniffing_and_logging
<http://www.snort.org/downloads/snortplus/snort_manual.html#_sniffing_and_logging>
:
snort --pcap-dir /path/to/pcap/dir --pcap-filter '*.pcap' -L dump
-l /path/to/log/dir
from
www.snort.org/downloads/snortplus/snort_manual.html#_alert_syslog
<http://www.snort.org/downloads/snortplus/snort_manual.html#_alert_syslog>
:
This must be done in snort.lua as opposed to the command line:
alert_syslog =
{
facility = local3,
level = info,
}
$ snort --help-config alert_syslogenum alert_syslog.facility = auth: part of priority applied to each message { auth | authpriv | daemon | user | local0 | local1 | local2 | local3 | local4 | local5 | local6 | local7 } enum alert_syslog.level = info: part of priority applied to each message { emerg | alert | crit | err | warning | notice | info | debug } multi alert_syslog.options: used to open the syslog connection { cons | ndelay | perror | pid }
It is true for alerts. But I've asked about snort process (daemon) log . Nevertheless - thank you for info, it is usefull.If you wanted to send the logs to another server, that would be handled within rsyslogd (I use Ubuntu). Create a file named "/etc/rsyslog.d/10-snort.conf" : (the lower the number, the higher the priority) : and put the following line in it: local3.* @loghost On Thu, Sep 20, 2018 at 8:52 AM Meridoff via Snort-users <snort-users () lists snort org <mailto:snort-users () lists snort org>> wrote: Hello, I've heared that barnyard2 is out of date for snort3. Though it can be used . 1. What are the alternative (to barnyard2) ways for logging snort3 alerts to remote data-bases or remote syslog etc ? May be it will be included in snort3 project in future? 2.Small question - snort3 itself writes its own log to syslog (-M option). What are the ways to specifiy internal daemon logging methods : to file or syslog LEVEL ot smth orher ? I found nothing concering this in config Thanks for response _______________________________________________ Snort-users mailing list Snort-users () lists snort org <mailto:Snort-users () lists snort org> Go to this URL to change user options or unsubscribe: https://lists.snort.org/mailman/listinfo/snort-users To unsubscribe, send an email to: snort-users-leave () lists snort org <mailto:snort-users-leave () lists snort org> Please visit http://blog.snort.org to stay current on all the latest Snort news! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette _______________________________________________ Snort-users mailing list Snort-users () lists snort org Go to this URL to change user options or unsubscribe: https://lists.snort.org/mailman/listinfo/snort-users To unsubscribe, send an email to: snort-users-leave () lists snort org Please visit http://blog.snort.org to stay current on all the latest Snort news! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette
_______________________________________________ Snort-users mailing list Snort-users () lists snort org Go to this URL to change user options or unsubscribe: https://lists.snort.org/mailman/listinfo/snort-users To unsubscribe, send an email to: snort-users-leave () lists snort org Please visit http://blog.snort.org to stay current on all the latest Snort news! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette
Current thread:
- Snort+ and logging Meridoff via Snort-users (Sep 20)
- Re: Snort+ and logging Andy Swartzbaugh via Snort-users (Sep 20)
- Re: Snort+ and logging Meridoff via Snort-users (Sep 20)
- Re: Snort+ and logging Russ via Snort-users (Sep 21)
- Re: Snort+ and logging Meridoff via Snort-users (Sep 20)
- Re: Snort+ and logging Andy Swartzbaugh via Snort-users (Sep 20)