如何对auth.log进行snort stop alert？

Question

I can't seem to get snort to stop logging to syslog (auth.log specifically). As far as I can tell it seems to be acting as if I'm running with the -s argument or with output alert_syslog: LOG_AUTH LOG_ALERT in the config.

I'm running snort 2.9.7.0 compiled with ./configure --enable-reload , and unless there is some hidden option I'm missing, I'm telling it to log to merged.log as unified2, and no place else.

snort@snort:~$ ps -ef | grep snort
snort     7524     1  1 18:15 ?        00:00:00 /usr/bin/snort -c /etc/snort/snort.conf -i bond0.566 -l /var/log/snort/bond0.566 -D

snort@snort:~$ grep -R '^output' /etc/snort
/etc/snort/snort.conf:output unified2: filename merged.log, limit 128, mpls_event_types, vlan_event_types

Here are some of the logs that I'm seeing

snort@snort:~$ tail -n 10 /var/log/auth.log
Feb 10 18:31:15 snort.example.com snort[32353]: [119:31:1] http_inspect: UNKNOWN METHOD [Classification: Unknown Traffic] [Priority: 3]: <bond0.566> {TCP} xxx.xxx.xxx.xxx:32271 -> xxx.xxx.xxx.xxx:80
Feb 10 18:31:15 snort.example.com snort[32353]: [119:31:1] http_inspect: UNKNOWN METHOD [Classification: Unknown Traffic] [Priority: 3]: <bond0.566> {TCP} xxx.xxx.xxx.xxx:32271 -> xxx.xxx.xxx.xxx:80
Feb 10 18:31:15 snort.example.com snort[32353]: [129:12:1] stream5: TCP Small Segment Threshold Exceeded [Classification: Potentially Bad Traffic] [Priority: 2]: <bond0.566> {TCP} xxx.xxx.xxx.xxx:56534 -> xxx.xxx.xxx.xxx:443
Feb 10 18:31:15 snort.example.com snort[32353]: [129:12:1] stream5: TCP Small Segment Threshold Exceeded [Classification: Potentially Bad Traffic] [Priority: 2]: <bond0.566> {TCP} xxx.xxx.xxx.xxx:56534 -> xxx.xxx.xxx.xxx:443
Feb 10 18:31:15 snort.example.com snort[32353]: [129:12:1] stream5: TCP Small Segment Threshold Exceeded [Classification: Potentially Bad Traffic] [Priority: 2]: <bond0.566> {TCP} xxx.xxx.xxx.xxx:53271 -> xxx.xxx.xxx.xxx:443
Feb 10 18:31:15 snort.example.com snort[32353]: [129:12:1] stream5: TCP Small Segment Threshold Exceeded [Classification: Potentially Bad Traffic] [Priority: 2]: <bond0.566> {TCP} xxx.xxx.xxx.xxx:53271 -> xxx.xxx.xxx.xxx:443
Feb 10 18:31:15 snort.example.com snort[32353]: [129:5:1] stream5: Bad segment, overlap adjusted size less than/equal 0 [Classification: Potentially Bad Traffic] [Priority: 2]: <bond0.566> {TCP} xxx.xxx.xxx.xxx:53271 -> xxx.xxx.xxx.xxx:443
Feb 10 18:31:15 snort.example.com snort[32353]: [129:5:1] stream5: Bad segment, overlap adjusted size less than/equal 0 [Classification: Potentially Bad Traffic] [Priority: 2]: <bond0.566> {TCP} xxx.xxx.xxx.xxx:53271 -> xxx.xxx.xxx.xxx:443
Feb 10 18:31:15 snort.example.com snort[32353]: [129:12:1] stream5: TCP Small Segment Threshold Exceeded [Classification: Potentially Bad Traffic] [Priority: 2]: <bond0.566> {TCP} xxx.xxx.xxx.xxx:2443 -> xxx.xxx.xxx.xxx:80
Feb 10 18:31:15 snort.example.com snort[32353]: [129:12:1] stream5: TCP Small Segment Threshold Exceeded [Classification: Potentially Bad Traffic] [Priority: 2]: <bond0.566> {TCP} xxx.xxx.xxx.xxx:2443 -> xxx.xxx.xxx.xxx:80

Most of these alerts are garbage that I will filter out later, the alerts themselves don't bother me, what bothers me is that they are going to auth.log and I can't figure out why.

Answer 1

I would check to make sure that snort is actually the responsible process for generating those logs. I've seen cases where barnyard2 appears in the logs as if it was snort generating the logs, which would throw anyone off. In /etc/barnyard2.conf, or whatever your config file is, you will probably see a line telling to send alerts to syslog, much like this:

output alert_syslog: LOG_AUTH LOG_INFO

You'll want to edit that line so barnyard2 will log how you want it to.