Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Output Snort3

From: Y M via Snort-sigs <snort-sigs () lists snort org>
Date: Mon, 20 Apr 2020 16:52:07 +0000
Correction > "auth" should be facility in the configuration.
________________________________
From: Snort-sigs <snort-sigs-bounces () lists snort org> on behalf of Y M via Snort-sigs <snort-sigs () lists snort org>
Sent: Monday, April 20, 2020 6:35 PM
To: snort-sigs () lists snort org <snort-sigs () lists snort org>
Subject: Re: [Snort-sigs] Output Snort3

Hello Ekrem,


From Snort 3 help:


# snort --help-module alert_syslog

alert_syslog
What: output event to syslog
Type: logger
Usage: global
Configuration:
enum alert_syslog.facility = auth: part of priority applied to each message { auth | authpriv | daemon | user | local0 
| local1 | local2 | local3 | local4 | local5 | local6 | local7 }
enum alert_syslog.level = info: part of priority applied to each message { emerg | alert | crit | err | warning | 
notice | info | debug }
multi alert_syslog.options: used to open the syslog connection { cons | ndelay | perror | pid }

Example configuration in snort.lua:

alert_syslog =
{
    auth = local7,
    level = info
}

Example rule:

alert tcp any any -> any any ( msg:"Sample Dummy Alert"; sid:1000000; rev:1; )

Output:

# tail -f /var/log/messages

Apr 20 18:26:08 snort3 snort[13337]: [1:1000000:1] "Sample Dummy Alert" {TCP} 192.168.0.1:14685 -> 173.37.145.84:25
Apr 20 18:26:08 snort3 snort[13337]: [1:1000000:1] "Sample Dummy Alert" {TCP} 192.168.0.1:9208 -> 173.37.145.84:80
Apr 20 18:26:08 snort3 snort[13337]: [1:1000000:1] "Sample Dummy Alert" {TCP} 173.37.145.84:25 -> 192.168.0.1:14685
Apr 20 18:26:08 snort3 snort[13337]: [1:1000000:1] "Sample Dummy Alert" {TCP} 173.37.145.84:80 -> 192.168.0.1:9208
Apr 20 18:26:08 snort3 snort[13337]: [1:1000000:1] "Sample Dummy Alert" {TCP} 192.168.0.1:14685 -> 173.37.145.84:25
Apr 20 18:26:08 snort3 snort[13337]: [1:1000000:1] "Sample Dummy Alert" {TCP} 192.168.0.1:9208 -> 173.37.145.84:80

snort-sigs list is intended for signatures. General operational questions can be sent to snort-users.

Thank you.
YM



________________________________
From: Snort-sigs <snort-sigs-bounces () lists snort org> on behalf of Ekrem AYDIN <Ekrem.AYDIN () arhs-cube com>
Sent: Friday, April 17, 2020 3:40 PM
To: snort-sigs () lists snort org <snort-sigs () lists snort org>
Subject: [Snort-sigs] Output Snort3


Hello,



How to configure the output alert_syslog on snort3 please ?

A log file is required in order to use Zabbix.



Regards,



Ekrem AYDIN
IT Trainee

Email :  ekrem.aydin () arhs-cube com<mailto:ekrem.aydin () arhs-cube com>

[http://www.arhs-group.com/wp-content/uploads/2017/03/arhs-cube.png]

13, Boulevard du Jazz
L-4370 Belvaux
www.arhs-cube.com<http://www.arhs-cube.com/>





_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists snort org
https://lists.snort.org/mailman/listinfo/snort-sigs

Please visit http://blog.snort.org for the latest news about Snort!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a 
href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!
Previous By Date Next
Previous By Thread Next

Current thread: