Snort mailing list archives

Fwd: Unrecognised syslog facility/priority in snort

From: Mayur Patil <ram.nath241089 () gmail com>
Date: Fri, 18 Oct 2013 07:12:37 +0530

Hi Praveen Sir,

Are you able to see logs at *.*  /var/log/172.20.54.212/syslog


   My mistake sir.  There is not any log file named as syslog at this
location.

   Instead, there is /var/log/messages. I also try this but not succeed.

 $AllowedSender TCP, 127.0.0.1, 172.0.0.0/24, 172.20.54.211
comment above line or add required IP's (I think it should be
172.20.25.0/24 instead of 172.0.0.0/24)


   I have commented above lines and also change IP as said above. But it
not succeed.

Replace *"auth.alert                   @172.20.54.213.*" with "**.alert
                @172.20.54.213:514*"
Didn't find above line in config file.


   Sorry about this. This content is present in the file *
/etc/rsyslog.d/snort.conf*

   which I was unable to send at that time as my setup  was in the college.

   Now, I change the settings as said by you at that location. not succeed.


From 172.20.54.211 <172.20.54.213> (snort) ping 172.20.54.213(syslog
server) viceversa.

From 172.20.54.211 <172.20.54.213> (snort) nc 172.20.54.213(syslog server)
on udp/514 port.


    I am able to do both in both directions.

In snort.conf, stick to

output alert_syslog: host=172.20.54.213:514, LOG_AUTH LOG_ALERT


   I found one thing :

    1.   In starting, when I install snort i followed guide from snort site
which I am attaching with this mail.
    2.   There are two locations where "snort" file resides:
         >  */etc/init.d/snort*       - script which we add at startup
         >  */usr/local/bin/snort*  -  executable file

    3.  In the meantime, I am getting problem that snort is not recognizing
the /etc/snort/snort.conf content to
        run snort.

       ERROR: Can't set DAQ BPF filter to 'start' (pcap_daq_set_filter:
pcap_compile: syntax error)!
       Fatal Error, Quitting..

    4. So from mailing list guidance, I changed the name of

        /etc/init.d/*snort*  to /etc/init.d/*snortd * and* started it as
Daemon.

*
    5. Today I tested for the all the  facilities and priorities.

   Facilities

*    log_auth     -> failed for alert
    log_authpriv -> failed for alert
*    log_daemon   -> alert
    log_local0   -> alert
    log_local1   -> alert
    log_local2   -> alert
    log_local3   -> alert
    log_local4   -> alert
    log_local5   -> alert
    log_local6   -> alert
    log_local7   -> alert
    log_user     -> alert

Priorities

    log_emerg
    log_alert
    log_crit
    log_err
    log_warning
    log_notice
    log_info
    log_debug

 Except these two facilities : *AUTH & AUTHPRIV*, all others are able to
log with all priorities.

 *Also noticeable thing,* I observed on IP 172.20.54.213 from file
/etc/rsyslog.d/50-default.conf

 auth,authpriv.*     /var/log/auth.log

 is having recent entries of snort alerts are logging there whichever
wireshark is showing and syslog is not logging.

 For ex,

 Oct 14 14:03:47 clc snort: [1:477:3] ICMP Packets are ping results
[Classification: A TCP Connection was Detected] [Priority: 4] {ICMP}
 172.20.54.212 <172.20.54.212> -> 172.20.54.211
Oct 14 14:04:48 clc snort: last message repeated 13 times
Oct 14 14:05:48 clc snort: last message repeated 12 times

 I have tried my best to provide configurations,

 Please correct if I am wrong,

 Seeking for guidance,

 Thanks !!
*

*
*P.S. I am also attaching all configuration files from three machines which
I think useful. Please suggest if  there are any grievances.
*
*
--
*
*Cheers,
Mayur*

Attachment: snort2945_CentOS6x.pdf
Description:

Attachment: rsyslog files.zip
Description:

------------------------------------------------------------------------------
October Webinars: Code for Performance
Free Intel webinars can help you accelerate application performance.
Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from 
the latest Intel processors and coprocessors. See abstracts and register >
http://pubads.g.doubleclick.net/gampad/clk?id=60135031&iu=/4140/ostg.clktrk

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

Re: Unrecognised syslog facility/priority in snort, (continued)
- - - Message not available
    - Re: Unrecognised syslog facility/priority in snort Mayur Patil (Oct 08)
    - Re: Unrecognised syslog facility/priority in snort Mayur Patil (Oct 09)
- Re: Unrecognised syslog facility/priority in snort wkitty42 (Oct 09)
  - Re: Unrecognised syslog facility/priority in snort Mayur Patil (Oct 09)
    - Re: Unrecognised syslog facility/priority in snort Mayur Patil (Oct 11)
    - Re: Unrecognised syslog facility/priority in snort Mayur Patil (Oct 11)
    - Re: Unrecognised syslog facility/priority in snort Mayur Patil (Oct 11)
    - Re: Unrecognised syslog facility/priority in snort Mayur Patil (Oct 11)
    - Message not available
    - Re: Unrecognised syslog facility/priority in snort Mayur Patil (Oct 13)
    - Re: Unrecognised syslog facility/priority in snort praveen_recker . (Oct 13)
    - Message not available
    - Fwd: Unrecognised syslog facility/priority in snort Mayur Patil (Oct 17)
    - Re: Fwd: Unrecognised syslog facility/priority in snort Peter Bates (Oct 18)