Snort mailing list archives
Help
From: Ninad Purohit <ninadpurohit () gmail com>
Date: Thu, 24 Jun 2010 09:20:33 +0530
On 6/24/10, snort-users-request () lists sourceforge net <snort-users-request () lists sourceforge net> wrote:
Send Snort-users mailing list submissions to snort-users () lists sourceforge net To subscribe or unsubscribe via the World Wide Web, visit https://lists.sourceforge.net/lists/listinfo/snort-users or, via email, send a message with subject or body 'help' to snort-users-request () lists sourceforge net You can reach the person managing the list at snort-users-owner () lists sourceforge net When replying, please edit your Subject line so it is more specific than "Re: Contents of Snort-users digest..." Today's Topics: 1. Re: Useful logging of performance statistics (Crook, Parker) 2. Re: Useful logging of performance statistics (Jason Wallace) 3. Re: Useful logging of performance statistics (Crook, Parker) 4. Having problem with Barnyard (Nick Moore) ---------------------------------------------------------------------- Message: 1 Date: Tue, 22 Jun 2010 17:05:38 -0400 From: "Crook, Parker" <Parker_Crook () reyrey com> Subject: Re: [Snort-users] Useful logging of performance statistics To: 'Jason Wallace' <jason.r.wallace () gmail com> Cc: "snort-users () lists sourceforge net" <snort-users () lists sourceforge net> Message-ID: <67C1678059C61F408194E53907AFB5CC0A4160DC2F () IS-EXMB01-RP ad reyrey com> Content-Type: text/plain; charset="iso-8859-1" Wally, Here's my sources: source s_all { # message generated by Syslog-NG internal(); # standard Linux log source (this is the default place for the syslog() # function to send logs to) unix-stream("/dev/log"); # messages from the kernel file("/proc/kmsg" log_prefix("kernel: ")); # use the following line if you want to receive remote UDP logging messages # (this is equivalent to the "-r" syslogd flag) # udp(); }; -Parker -----Original Message----- From: Jason Wallace [mailto:jason.r.wallace () gmail com] Sent: Tuesday, June 22, 2010 4:53 PM To: Crook, Parker Cc: snort-users () lists sourceforge net Subject: Re: [Snort-users] Useful logging of performance statistics Out of curiosity what do you have for sources? Is s_all just snort logs? Wally On Tue, Jun 22, 2010 at 3:55 PM, Crook, Parker <Parker_Crook () reyrey com> wrote:Good afternoon all, I recently switched over to syslog-ng in my lab environment after living with the status-quo for way too long (On Debian, Snort logs to /var/log/syslog). After being lazy and scrolling the few hundred/thousand lines to get to the rules and preprocessor stats in my log files, I wanted a better way. Now that I am using syslog-ng, I have: #DESTINATION destination snort_info { file("/var/log/snort_info"); }; destination snort_warn { file("/var/log/snort_warn"); }; destination snort_notice { file("/var/log/snort_notice"); }; destination snort_crit { file("/var/log/snort_crit"); }; destination snort_err { file("/var/log/snort_err"); }; destination snort_emerg { file("/var/log/snort_emerg"); }; #FILTER filter f_snort_info { level(info); }; filter f_snort_notice { level(notice); }; filter f_snort_warn { level(warn); }; filter f_snort_crit { level(crit); }; filter f_snort_err { level(err); }; filter f_snort_emerg { level(emerg); }; #LOG log { source(s_all); filter(f_snort_info); destination(snort_info); }; log { source(s_all); filter(f_snort_notice); destination(snort_notice); }; log { source(s_all); filter(f_snort_warn); destination(snort_warn); }; log { source(s_all); filter(f_snort_crit); destination(snort_crit); }; log { source(s_all); filter(f_snort_err); destination(snort_err); }; log { source(s_all); filter(f_snort_emerg); destination(snort_emerg); }; And was kind of hoping for a nice breakup of logging; alas: 4 drwxr-xr-x 2 snort snort 4096 2010-06-22 15:04 snort 12 -rw-r----- 1 root adm 8465 2010-06-22 15:04 snort_err 452 -rw-r----- 1 root adm 455815 2010-06-22 15:17 snort_info 588 -rw-r----- 1 root adm 597570 2010-06-22 15:04 snort_notice 24 -rw-r----- 1 root adm 22932 2010-06-22 15:04 snort_warn So I found the Preprocessor Profile Statistics & Rule Profile Statistics in snort_notice, but I still have to rummage through a bunch of cruft just to get what I am looking for. So my question is: Is there a better way? I want to log my rule profile & preprocessor profile statistics to a log unto themselves for easy(ier) historical comparison. Thanks, Parker ------------------------------------------------------------------------------ ThinkGeek and WIRED's GeekDad team up for the Ultimate GeekDad Father's Day Giveaway. ONE MASSIVE PRIZE to the lucky parental unit. See the prize list and enter to win: http://p.sf.net/sfu/thinkgeek-promo _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users------------------------------ Message: 2 Date: Tue, 22 Jun 2010 19:00:52 -0400 From: Jason Wallace <jason.r.wallace () gmail com> Subject: Re: [Snort-users] Useful logging of performance statistics To: "Crook, Parker" <Parker_Crook () reyrey com> Cc: "snort-users () lists sourceforge net" <snort-users () lists sourceforge net> Message-ID: <AANLkTim4Ch2XEjVxWjgjzIDO5-0ivJlrSX_RqGgJ05ti () mail gmail com> Content-Type: text/plain; charset=ISO-8859-1 If the goal is to only have snort logs in those files then I do not think what you have will work. That would result in log files with all info logs, including system logs, in snort_info, all warn logs in snort_warn...etc. You need to add something to to the filters to tell it them you want those levels but only for snort related logs. I'm not in front of my box right now but I think (from memory) you might be looking for the "match" statement...or "program" might work. Wally On Tue, Jun 22, 2010 at 5:05 PM, Crook, Parker <Parker_Crook () reyrey com> wrote:Wally, Here's my sources: source s_all { ? ? ? ?# message generated by Syslog-NG ? ? ? ?internal(); ? ? ? ?# standard Linux log source (this is the default place for the syslog() ? ? ? ?# function to send logs to) ? ? ? ?unix-stream("/dev/log"); ? ? ? ?# messages from the kernel ? ? ? ?file("/proc/kmsg" log_prefix("kernel: ")); ? ? ? ?# use the following line if you want to receive remote UDP logging messages ? ? ? ?# (this is equivalent to the "-r" syslogd flag) ? ? ? ?# udp(); }; -Parker -----Original Message----- From: Jason Wallace [mailto:jason.r.wallace () gmail com] Sent: Tuesday, June 22, 2010 4:53 PM To: Crook, Parker Cc: snort-users () lists sourceforge net Subject: Re: [Snort-users] Useful logging of performance statistics Out of curiosity what do you have for sources? Is s_all just snort logs? Wally On Tue, Jun 22, 2010 at 3:55 PM, Crook, Parker <Parker_Crook () reyrey com> wrote:Good afternoon all, I recently switched over to syslog-ng in my lab environment after living with the status-quo for way too long (On Debian, Snort logs to /var/log/syslog). ?After being lazy and scrolling the few hundred/thousand lines to get to the rules and preprocessor stats in my log files, I wanted a better way. ?Now that I am using syslog-ng, I have: #DESTINATION destination snort_info { file("/var/log/snort_info"); }; destination snort_warn { file("/var/log/snort_warn"); }; destination snort_notice { file("/var/log/snort_notice"); }; destination snort_crit { file("/var/log/snort_crit"); }; destination snort_err { file("/var/log/snort_err"); }; destination snort_emerg { file("/var/log/snort_emerg"); }; #FILTER filter f_snort_info { level(info); }; filter f_snort_notice { level(notice); }; filter f_snort_warn { level(warn); }; filter f_snort_crit { level(crit); }; filter f_snort_err { level(err); }; filter f_snort_emerg { level(emerg); }; #LOG log { source(s_all); filter(f_snort_info); destination(snort_info); }; log { source(s_all); filter(f_snort_notice); destination(snort_notice); }; log { source(s_all); filter(f_snort_warn); destination(snort_warn); }; log { source(s_all); filter(f_snort_crit); destination(snort_crit); }; log { source(s_all); filter(f_snort_err); destination(snort_err); }; log { source(s_all); filter(f_snort_emerg); destination(snort_emerg); }; And was kind of hoping for a nice breakup of logging; alas: ? 4 drwxr-xr-x 2 snort ? ? ? snort ? 4096 2010-06-22 15:04 snort ?12 -rw-r----- 1 root ? ? ? ?adm ? ? 8465 2010-06-22 15:04 snort_err 452 -rw-r----- 1 root ? ? ? ?adm ? 455815 2010-06-22 15:17 snort_info 588 -rw-r----- 1 root ? ? ? ?adm ? 597570 2010-06-22 15:04 snort_notice 24 -rw-r----- 1 root ? ? ? ?adm ? ?22932 2010-06-22 15:04 snort_warn So I found the Preprocessor Profile Statistics & Rule Profile Statistics in snort_notice, but I still have to rummage through a bunch of cruft just to get what I am looking for. ?So my question is: ?Is there a better way? ?I want to log my rule profile & preprocessor profile statistics to a log unto themselves for easy(ier) historical comparison. Thanks, Parker ------------------------------------------------------------------------------ ThinkGeek and WIRED's GeekDad team up for the Ultimate GeekDad Father's Day Giveaway. ONE MASSIVE PRIZE to the lucky parental unit. ?See the prize list and enter to win: http://p.sf.net/sfu/thinkgeek-promo _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users------------------------------ Message: 3 Date: Wed, 23 Jun 2010 08:45:33 -0400 From: "Crook, Parker" <Parker_Crook () reyrey com> Subject: Re: [Snort-users] Useful logging of performance statistics To: 'Jason Wallace' <jason.r.wallace () gmail com> Cc: "snort-users () lists sourceforge net" <snort-users () lists sourceforge net> Message-ID: <67C1678059C61F408194E53907AFB5CC0A4160DC30 () IS-EXMB01-RP ad reyrey com> Content-Type: text/plain; charset="iso-8859-1" Wally, Thanks for the reply -- I guess I should have been a little clearer in my original post: the definitions I list here are the custom definitions, I am still using the default logging facilities as well, ie: destination df_auth { file("/var/log/auth.log"); }; destination df_syslog { file("/var/log/syslog"); }; . . . ...along with the filters and logs. Snort_notice only contains logs from Snort; however it contains what seems to be all information from starting and stopping Snort, whereas I am looking for a way to log the rule & preproc performance stats to a separate file. I tried setting up a filter for syslog-ng, but the problem is that the information gets logged line by line, and threw off my plan of setting up a regex filter. My intent in asking this question would be: does anyone else have a mechanism to log this info in an easily accessible place? If not, is there a good way to accomplish it (I thought about a series of regex filters inside of syslog-ng, but after I started bashing out a 'solution' I stepped back and thought, 'those are some seriously ugly pcre's' and there has got to be a better way)? And of course, is anybody else using this form of logging for to acquire information on rule performance in their environment? I have found it terribly useful. -Parker -----Original Message----- From: Jason Wallace [mailto:jason.r.wallace () gmail com] Sent: Tuesday, June 22, 2010 7:01 PM To: Crook, Parker Cc: snort-users () lists sourceforge net Subject: Re: [Snort-users] Useful logging of performance statistics If the goal is to only have snort logs in those files then I do not think what you have will work. That would result in log files with all info logs, including system logs, in snort_info, all warn logs in snort_warn...etc. You need to add something to to the filters to tell it them you want those levels but only for snort related logs. I'm not in front of my box right now but I think (from memory) you might be looking for the "match" statement...or "program" might work. Wally On Tue, Jun 22, 2010 at 5:05 PM, Crook, Parker <Parker_Crook () reyrey com> wrote:Wally, Here's my sources: source s_all { # message generated by Syslog-NG internal(); # standard Linux log source (this is the default place for the syslog() # function to send logs to) unix-stream("/dev/log"); # messages from the kernel file("/proc/kmsg" log_prefix("kernel: ")); # use the following line if you want to receive remote UDP logging messages # (this is equivalent to the "-r" syslogd flag) # udp(); }; -Parker -----Original Message----- From: Jason Wallace [mailto:jason.r.wallace () gmail com] Sent: Tuesday, June 22, 2010 4:53 PM To: Crook, Parker Cc: snort-users () lists sourceforge net Subject: Re: [Snort-users] Useful logging of performance statistics Out of curiosity what do you have for sources? Is s_all just snort logs? Wally On Tue, Jun 22, 2010 at 3:55 PM, Crook, Parker <Parker_Crook () reyrey com> wrote:Good afternoon all, I recently switched over to syslog-ng in my lab environment after living with the status-quo for way too long (On Debian, Snort logs to /var/log/syslog). After being lazy and scrolling the few hundred/thousand lines to get to the rules and preprocessor stats in my log files, I wanted a better way. Now that I am using syslog-ng, I have: #DESTINATION destination snort_info { file("/var/log/snort_info"); }; destination snort_warn { file("/var/log/snort_warn"); }; destination snort_notice { file("/var/log/snort_notice"); }; destination snort_crit { file("/var/log/snort_crit"); }; destination snort_err { file("/var/log/snort_err"); }; destination snort_emerg { file("/var/log/snort_emerg"); }; #FILTER filter f_snort_info { level(info); }; filter f_snort_notice { level(notice); }; filter f_snort_warn { level(warn); }; filter f_snort_crit { level(crit); }; filter f_snort_err { level(err); }; filter f_snort_emerg { level(emerg); }; #LOG log { source(s_all); filter(f_snort_info); destination(snort_info); }; log { source(s_all); filter(f_snort_notice); destination(snort_notice); }; log { source(s_all); filter(f_snort_warn); destination(snort_warn); }; log { source(s_all); filter(f_snort_crit); destination(snort_crit); }; log { source(s_all); filter(f_snort_err); destination(snort_err); }; log { source(s_all); filter(f_snort_emerg); destination(snort_emerg); }; And was kind of hoping for a nice breakup of logging; alas: 4 drwxr-xr-x 2 snort snort 4096 2010-06-22 15:04 snort 12 -rw-r----- 1 root adm 8465 2010-06-22 15:04 snort_err 452 -rw-r----- 1 root adm 455815 2010-06-22 15:17 snort_info 588 -rw-r----- 1 root adm 597570 2010-06-22 15:04 snort_notice 24 -rw-r----- 1 root adm 22932 2010-06-22 15:04 snort_warn So I found the Preprocessor Profile Statistics & Rule Profile Statistics in snort_notice, but I still have to rummage through a bunch of cruft just to get what I am looking for. So my question is: Is there a better way? I want to log my rule profile & preprocessor profile statistics to a log unto themselves for easy(ier) historical comparison. Thanks, Parker ------------------------------------------------------------------------------ ThinkGeek and WIRED's GeekDad team up for the Ultimate GeekDad Father's Day Giveaway. ONE MASSIVE PRIZE to the lucky parental unit. See the prize list and enter to win: http://p.sf.net/sfu/thinkgeek-promo _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users------------------------------ Message: 4 Date: Wed, 23 Jun 2010 17:32:10 -0500 From: Nick Moore <nmoore () sourcefire com> Subject: [Snort-users] Having problem with Barnyard To: snort-users () lists sourceforge net Message-ID: <AANLkTil5ROmaATG29X_P0PDOZQaXYP5h2OyNzBhn6wW2 () mail gmail com> Content-Type: text/plain; charset="iso-8859-1" All, I'm having a problem with Barnyard putting data into MySQL. Snort is seeing events and the log file is increasing, but no events have yet been written to the database. I've attached my snort.conf and barnyard2.conf. Based on the Snort screen output below, I'm sure events are triggering: =============================================================================== Action Stats: ALERTS: 246 LOGGED: 246 PASSED: 0 ===================== I'm sure I'm overlooking something simple. If anyone can point me in the right direction, it would be much appreciated. Thanks! -- Nick Moore, SFCE, CISSP, CISA Sr. Systems Engineer Voice 708-336-9041 Email nick.moore () sourcefire com IM nickgmoore (Yahoo) nickgmoore38 (AIM) ,,_ o" )~ Sourcefire - The Creators of Snort '''' www.sourcefire.com www.snort.org -------------- next part -------------- An HTML attachment was scrubbed... -------------- next part -------------- A non-text attachment was scrubbed... Name: barnyard2.conf Type: application/octet-stream Size: 8162 bytes Desc: not available -------------- next part -------------- A non-text attachment was scrubbed... Name: snort.conf Type: application/octet-stream Size: 18090 bytes Desc: not available ------------------------------ ------------------------------------------------------------------------------ ThinkGeek and WIRED's GeekDad team up for the Ultimate GeekDad Father's Day Giveaway. ONE MASSIVE PRIZE to the lucky parental unit. See the prize list and enter to win: http://p.sf.net/sfu/thinkgeek-promo ------------------------------ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-users End of Snort-users Digest, Vol 49, Issue 31 *******************************************
-- Sent from my mobile device ninad purohit <ninadpurohit (at) gmail (dot) com> have a nice day :-) ------------------------------------------------------------------------------ ThinkGeek and WIRED's GeekDad team up for the Ultimate GeekDad Father's Day Giveaway. ONE MASSIVE PRIZE to the lucky parental unit. See the prize list and enter to win: http://p.sf.net/sfu/thinkgeek-promo _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Help Ninad Purohit (Jun 23)