Log Types: Snort
Overview
Snort is a free open source network intrusion detection system (IDS) and intrusion prevention system (IPS) created in 1998 by Martin Roesch, founder and former CTO of Sourcefire.
Snort is now developed by Cisco, which purchased Sourcefire in 2013.
Snort's open source network-based intrusion detection/prevention system (IDS/IPS) has the ability to perform real-time traffic analysis and packet logging on Internet Protocol (IP) networks. Snort performs protocol analysis, content searching and matching.
The program can also be used to detect probes or attacks, including, but not limited to, operating system fingerprinting attempts, semantic URL attacks, buffer overflows, server message block probes, and stealth port scans.
Collection
Snort can be configured to send data to the Snare Central via the syslog protocol. Snare will be able to collect, interpret, and report on the events. The following information provides an overview of the steps required to configure the Snort sensor to send eventlog data back to the Snare Central. Note that there is no configuration required on the Snare Central server.
On the host that is acting as a Snort collection sensor:
In the file /etc/syslog.conf, add the following two lines:
# Send all SYSLOG events to the Snare Central*.*@12.23.34.45
Please substitute the IP address, or the DNS name, of the Snare Central for the string "12.23.34.45"
Modify the file /etc/snort/snort.conf to include the following line:
output alert_syslog: LOG_AUTH LOG_ALERT
An existing (or possibly, multiple) 'output' line may already exist in the file - that is acceptable. Snort will be able to send output to both targets.
Restart your snort network intrusion detection system and syslog daemon. Depending on your distribution this may be one of:
/etc/init.d/snortd; /etc/init.d/syslog restartservice snortd restart; service syslog restart
Sample Events
snort: [1:886:10] WEB-CGI phf access [Classification: access to a potentially vulnerable web application] [Priority: 2]: {TCP} 10.0.0.1:33428 -> 10.0.0.2:80snort[19102]: [1:2925:3] INFO web bug 0x0 gif attempt [Classification: Misc activity] [Priority: 3]: {TCP} 146.82.200.79:80 -> 192.168.100.199:3677snort[20584]: [1:712:8] OJO intento telnet [Classification: Attempted Administrator Privilege Gain] [Priority: 1]: {TCP} 172.25.7.27:1327 -> 172.25.7.252:2Feb 15 16:50:09 generic-ids eth1: [123:8:1] frag3: Fragmentation overlap [Classification: Unknown] [Priority: 3] {UDP} 1.1.1.3:57305 -> 224.0.0.129:4441snort: [1:895:7] WEB-CGI redirect access [Classification: Attempted Information Leak] [Priority: 2]: {TCP} 150.101.115.22:33977 -> 168.143.113.10:80
Fields
Field | Description |
|---|---|
DATE | Event date, in the format YYYY-MM-DD |
TIME | Event time, in the format HH:MM:SS |
SYSTEM | The source system |
TABLE | Snort |
EVENTID | Numerical event information indicating the event type |
PRIORITY | The priority of the event, as assigned by the Snort sensor |
CLASSIFICATION | A text field describing the type of event reported |
DESCRIPTION | A short description of the event |
SRCADDR | Source IP address |
SRCPORT | Source port |
DSTADDR | Destination IP address |
DSTPORT | Destination port |
PROTO | Protocol |
Notes
-