Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Snort3 generating multiple alert files

From: Noah Dietrich <noah_dietrich () 86penny org>
Date: Wed, 18 May 2016 08:41:14 +0200
I've written a guide on Snort++ for Ubuntu 12 and 14 (a slightly older
version) for Ubuntu:
Snort 3 Alpha:
Installing Snort++ in Ubuntu 14
<http://sublimerobots.com/2015/11/installing-snort-in-ubuntu-14-version-3-0-alpha-2/>
(Snort
3.0 Alpha 2)
Installing Snort++ in Ubuntu 12
<http://sublimerobots.com/2015/11/installing-snort-in-ubuntu-12-version-3-0-alpha-2/>
(Snort
3.0 Alpha 2)

Noah

On Tue, May 17, 2016 at 11:02 PM, Russ <rucombs () cisco com> wrote:


Can you also point us to the incomplete documents and share what issues
you had trying to get Snort++ running?  We would like to rectify that.

Thanks

Russ

On 5/17/16 3:02 PM, Al Lewis (allewi) wrote:

If you get snort3 from github the instructions are in the doc/start.txt
file.



You can also see the instructions in the manual:




<https://s3.amazonaws.com/snort-org-site/production/release_files/files/000/003/768/original/snort_manual.html?AWSAccessKeyId=AKIAIXACIED2SPMSC7GA&Expires=1463515261&Signature=JICgARmNdTsuNX4NC6sH27Z76Nw%3D#_building>
https://s3.amazonaws.com/snort-org-site/production/release_files/files/000/003/768/original/snort_manual.html?AWSAccessKeyId=AKIAIXACIED2SPMSC7GA&Expires=1463515261&Signature=JICgARmNdTsuNX4NC6sH27Z76Nw%3D#_building







*Albert Lewis*

QA SNORT/Sourcefire

SOURCE*fire*, Inc. now part of *Cisco*

9780 Patuxent Woods Drive
Columbia, MD 21046

Phone: (office) 443.430.7112

Email: allewi () cisco com



*From:* Ronald Hill [mailto:ronald.hill () dunbarsecured com
<ronald.hill () dunbarsecured com>]
*Sent:* Tuesday, May 17, 2016 2:14 PM
*To:* snort-users () lists sourceforge net
*Subject:* Re: [Snort-users] Snort3 generating multiple alert files



Does anyone have instructions on installing snort3?  All the documents
that I find are incomplete and I have yet to successfully stand up a
working instance.

Many Thanks.



Ronald Hill

SOC Analyst I

Dunbar Security Solutions

P: (443) 391 5480



*From:* João Soares [mailto:joaops () dei uc pt <joaops () dei uc pt>]
*Sent:* Monday, May 16, 2016 10:02 PM
*To:* Russ <rucombs () cisco com>; snort-users () lists sourceforge net
*Subject:* Re: [Snort-users] Snort3 generating multiple alert files



You are absolutely right. The quotes made all the difference.

Adding log_pcap = { limit = 50, units = "M" } worked in conjunction with
alert_full, only after I removed the -L (or -A) option - makes sense!

This is all I needed for now. Thank you so much!

On 05/17/2016 02:46 AM, Russ wrote:





On 5/16/16 9:14 PM, João Soares wrote:

Greetings,

I had tried something similar to your suggestion before and it hadn't
worked, but now it does and I feel dumb.

However, if I try, for example:

alert_full = {file = true, limit = 50, units = MB}

or

alert_full = {file = true, limit = 50, units = M}

The behavior stays the same (new file every 4Kb). Maybe there is also some
kind of bug with the units?

The help is a little cryptic so let me expound on that.  The format is
type name = default: help { range } so

    enum alert_full.units = B: limit is in bytes | KB | MB | GB { B | K |
M | G }

the type, enum, is a string taking the values "B" or "K" or "M" or "G".
The help is possibly confusing here but it is saying that "B" means bytes,
"K" means kilobytes, etc.  So, this should get what you want:

    alert_full = { file = true, limit = 50, units = "M" }

But, you could just default to bytes and do this instead:

    alert_full = { file = true, limit = 50*1024*1024 }

That you didn't get an error with units = M is a disappointing feature of
Lua.  See the first item in the Gotchas.

As for your suggestion, I'm sorry but I'm not sure what you mean with "add
log_pcap to your conf".

If you want to log the triggering packets to a pcap in addition to the
full alerts, you can add this to your snort.lua:

    log_pcap = { limit = 50, units = "M" }

Note that the triggering packet may, depending upon your configuration, be
a TCP acknowledgement in which case you won't get the reassembled data.
The unified2 log would have that data however.

Thank you so much for your replies, you've been of great help!

Good - keep us posted on your progress.  :)


Best regards!

On 05/16/2016 06:53 PM, Russ wrote:

`snort --help-config alert_full` will show:

    bool alert_full.file = false: output to alert_full.txt instead of
stdout
    int alert_full.limit = 0: set limit (0 is unlimited) { 0: }
    enum alert_full.units = B: limit is in bytes | KB | MB | GB { B | K |
M | G }

So the default limit is zero, meaning unlimited, meaning you have hit upon
a bug.  We will get that fixed.  In the meantime, you can set an explicit
limit with:

    alert_full = { file = true, limit = 12345678 }

Note that since you already have alert_full in your conf, you can add this
to your command line:

    --lua "alert_full.limit = 12345678"

Also, just to clarify earlier email, you can add log_pcap to your conf to
get pcaps along with fast alerts, but you will have to line up time stamps
to associate them.

Thanks

Russ



On 5/16/16 10:09 AM, João Soares wrote:

Greetings,

Thank you for your reply and suggestions! As for the -z option, I'm
currently doing load balancing externally as you said, I look forward for
that internal load balancing :)

At the moment we're using a network tap to mirror lots of traffic,
including wireless frames, that is why I was using the -w option. Thank you
for your clarification.

-A full goes to console by default you're right, but I have a custom .lua
file with

alert_full = {file = true}


Which makes it go to a alert_full.txt file. My main issue is that, it is
constantly creating new files, when alert_full.txt reaches ~4Kb. For
example, it makes a new alert_full.txt.1483937582 and so on. This one I
would really like to fix.

Best regards and thank you for your time

On 05/16/2016 01:43 PM, Russ wrote:





On 5/15/16 10:51 PM, João Soares wrote:

Greetings,

I'm trying to learn and adapt to snort3 and it's not being easy.

I'm running snort3 with this command:

snort -l /root/snort-logs -A full -i eth0 -c etc/snort/snort.lua -D -z 0
-d -e -w -X -y

Some comments on your options:

-z 0 will only help when you have multiple input sources or many pcaps
since, at present, load balancing must be done externally.  Internal load
balancing is coming up.

-w applies to wireless and likely doesn't actually go with your eth0
interface (usually wired).  However, since you had that combination, I
double checked and it appears that -w is no longer attached to any
functionality and will likely be deleted.

I have a two questions and I would really appreciate it if you guys could
help me out:

*1 *- Why is snort3 making a new alert file each time the original file
reaches approximately 4kb? How can I change that?

Which options are giving you 4K logs?  -A full goes to console by default.

*2* - How can I make snort3 log both alerts and pcaps of intrusions, I
can't get it to work, I have tried combining both -A and -L options but I
can only get one of them to be logged.

-A and -L are for two different run modes.  Use -A with -c to log
intrusion events.  Use -L to just log all packets, that is, for sniffer
mode.  When used together on the command line, the last one wins.

Since you want to log intrusion events, you need a logger that captures
packets along with the events.  I'm guessing that you want a separate pcap
but there is no way to do that at present.  You can use -A u2 (short for -A
unified2) and that will log the event followed by the triggering packet in
the same file.  You can then use included u2boat utility to dump a pcap
from the u2 log.

I'm sorry if these are really obvious questions, but I've read the manual
and I can't seem to find the answers.

Did you look at the usage section?  There are several examples there.  If
anything there is unclear, let us know.  We will be adding more than just
reference material soon.

Best regards and thank you for your time!

--

João Soares



SIC - Serviço de Informática e Comunicações

https://helpdesk.dei.uc.pt

Department of Informatics Engineering

Faculty of Science and Technology

University of Coimbra



------------------------------------------------------------------------------

Mobile security can be enabling, not merely restricting. Employees who

bring their own devices (BYOD) to work are irked by the imposition of MDM

restrictions. Mobile Device Manager Plus allows you to control only the

apps on BYO-devices by containerizing them, leaving personal data untouched!

https://ad.doubleclick.net/ddm/clk/304595813;131938128;j



_______________________________________________

Snort-users mailing list

Snort-users () lists sourceforge net

Go to this URL to change user options or unsubscribe:

https://lists.sourceforge.net/lists/listinfo/snort-users

Snort-users list archive:

http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users



Please visit http://blog.snort.org to stay current on all the latest Snort news!





--

João Soares



SIC - Serviço de Informática e Comunicações

https://helpdesk.dei.uc.pt

Department of Informatics Engineering

Faculty of Science and Technology

University of Coimbra





--

João Soares



SIC - Serviço de Informática e Comunicações

https://helpdesk.dei.uc.pt

Department of Informatics Engineering

Faculty of Science and Technology

University of Coimbra





--

João Soares



SIC - Serviço de Informática e Comunicações

https://helpdesk.dei.uc.pt

Department of Informatics Engineering

Faculty of Science and Technology

University of Coimbra



------------------------------------------------------------------------------
Mobile security can be enabling, not merely restricting. Employees who
bring their own devices (BYOD) to work are irked by the imposition of MDM
restrictions. Mobile Device Manager Plus allows you to control only the
apps on BYO-devices by containerizing them, leaving personal data 
untouched!https://ad.doubleclick.net/ddm/clk/304595813;131938128;j



_______________________________________________
Snort-users mailing listSnort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!




------------------------------------------------------------------------------
Mobile security can be enabling, not merely restricting. Employees who
bring their own devices (BYOD) to work are irked by the imposition of MDM
restrictions. Mobile Device Manager Plus allows you to control only the
apps on BYO-devices by containerizing them, leaving personal data
untouched!
https://ad.doubleclick.net/ddm/clk/304595813;131938128;j
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest
Snort news!


------------------------------------------------------------------------------
Mobile security can be enabling, not merely restricting. Employees who
bring their own devices (BYOD) to work are irked by the imposition of MDM
restrictions. Mobile Device Manager Plus allows you to control only the
apps on BYO-devices by containerizing them, leaving personal data untouched!
https://ad.doubleclick.net/ddm/clk/304595813;131938128;j
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: