从snort中读取警报日志

Question

I have a new instance with snort setup. When I tried to look at the alert log I noticed that the directory doesn't have a /var/log/snort/alert file. I tried to touch this file and to chmod to give read and write access to my snort user but I still have no alert (even if I create a rule to catch all the calls and put them in the log them as errors)

alert ip any any -> any any ( msg: "ICMP packet detected!"; sid: 1; )

Any idea if I am missing something.

By the way here is the command I run for Snort:

sudo /usr/sbin/snort -m 027 -D -d -l /var/log/snort -u snort -g snort -c /etc/snort/snort.conf -S HOME_NET=[192.168.0.0/16] -i eth0

Am I missing something?

Answer 1

If you want the alerts to go to syslog you must specify this in the snort.conf file (/etc/snort/snort.conf in your case) with the output keyword. You need to add the keyword "output" and then the name "alert_syslog", and then the options:

output <name>: <options>

So something like the following should be in your snort.conf file:

output alert_syslog: log_alert

Read more about the options that can be used with alert_syslog here

Answer 2

You don't need to create any file.snort will create it when something matches your rule and it generates an alert.To do this start your snort in a full alert mode to log all alerts by something like this

‫‪snort‬‬ ‫‪-dev‬‬ ‫‪-i‬‬ ‫‪wlan0‬‬ ‫‪-c‬‬ ‫‪/etc/snort/snort.conf‬‬ ‫‪-l‬‬ ‫‪/var/log/snort/‬‬ ‫‪-A‬‬ ‫‪full‬‬

Then if you have Linux you can go to the path ‫‪‬‬ ‫‪cd /var/log/snort/‬‬ and see your logs by this command: cat alert | grep -i‬‬ ‬‬‫‪‫‪detected cat alert | grep -i‬‬ ‬‬‫‪‫‪detected