Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Snort-Users
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Snort-users] Difference of Alerts, Snort Logs, and Tcpdumps

from [frederick sonnichsen] Network Security [Permanent Link]
Subject: Re: [Snort-users] Difference of Alerts, Snort Logs, and Tcpdumps
Date: Tue, 04 Mar 2008 13:46:46 -0500
OK and thanks Seth.
It helps to undstand what the logs mean. For some reason the old way of controlling these no longer works. I have checked release notes and the FAQ but little is said there.

In my OLD implementation the configuration appears likes this:
snort.conf:
output alert_syslog: LOG_LOCAL0 LOG_ALERT
output log_tcpdump: tcpdump.log
syslog.conf
local0.* /var/log/snort/snortlog.log
As expected I get a dump of ASCII alerts in snortlog.log and a bin dump in tcpdump.log

However when I try the same parms in my new implementation on Fedore Core6 with snort 2.8.0.2,
If I start with
24905 ? Ss 0:02 /usr/sbin/snort -D -i eth3 -u root -g snort -c /etc/snort/snort.conf -l /var/log/snort

I get only the tcpdump log:
-rw------- 1 root snort 268022 Mar  4 13:06 tcpdump.log.1204653931
and my /var/log/messages receives all the alerts

I changed the startup to include -A and -b
25023 ? Ss 0:00 /usr/sbin/snort -A fast -b -D -i eth3 -u root -g snort -c /etc/snort/snort.conf -l /var/log/snort
resulting files
-rw------- 1 root snort 84701 Mar 4 13:04 alert
-rw------- 1 root snort 298787 Mar 4 13:04 snort.log.1204653811

I am not sure if something changed in the snort.conf but I have tried several variations on the startup parms (-a, -M -b), on snort.conf and with the syslog.conf but I cannot get my original function back. (e.g. alerts in snortlog.log and dump in tcpdump.log.xxxxxxxx
==============================================================

Fritz,

Alerts are stored in ASCII.  You can cat, tail, less, etc. that file.
snortlog.log is most likely in unified format (binary, so you can't
view it in a text editor).
tcpdump.log is stored in pcap format.  You can most likely read this
file by typing: tcpdump -nr Tcpdump.log and it will show you the
actual packets that were collected by snort rules that in fact log
packets.

Those three files are each the result of a separate output plugin.
There has been a lot of them written as to which is best for each
scenario.   ASCII logs are great for quickly checking what your sensor
is seeing, but it slows down the instance of snort considerably.
When running snort in daemon mode, you should almost always run snort
without this option (-A fast on the command line)

If you are upgrading the old sensor, and you want to keep all of your
other tools the same, the important lines that have to do with logging
can be found by doing this:

cat snort.conf | grep output | grep -v /#

Of course this just looks at the output part of the snort.conf
configuration.  You will have to make sure you retain a whole lot of
information from the previous snort.conf file including $HOME_NET and
$EXTERNAL_NET, and a whole lot of others.   Check out some of the
how-to documents on www.snort.org

-Seth



On Tue, Mar 4, 2008 at 12:07 PM, frederick sonnichsen
<fsonnichsen@whoi.edu> wrote:


I am new  to snort and trying to upgrade a prior system. It appears that
the old system collects Alerts, Snortlog.log and Tcpdump.log, however
after reading the doc I am a little unclear on the meaning of  these.
Are the snortlogs basically uncompressed versions of the tcpdumps? Also
are the alerts a condensation of the snort logs?
Thanks,
Fritz


-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users






-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Snort-users] Difference of Alerts, Snort Logs, and Tcpdumps, Seth
Next by Date:  [Snort-users] Denver/Boulder/NoCo Sec Meeting, Jennifer Steffens
Previous by Thread:  Re: [Snort-users] Difference of Alerts, Snort Logs, and Tcpdumps, Seth
Next by Thread:  [Snort-users] Changing name of alerts log, frederick sonnichsen
Indexes:  [Date] [Thread] [Top] [All Lists]