Saturday, May 7, 2011

Snort: Logging Alerts to Syslog Server

Life is so busy. It's been pretty long since my last post. Well coming to the post :) ...

We will get into configuration details of Syslog and Snort to log our alerts into Kiwi Syslog Server.

Add the following line to Snort configuration file
 output alert_syslog: host=172.16.232.161:514, LOG_AUTH LOG_ALERT
Snort configuration file can be found at
                 /etc/snort/snort.conf
In my case Snort is running on 3.3.3.9 on eth1 and eth0 is assigned with 172.16.232.171 IP which talks with Syslog Server.

Following command is used to run Snort
 snort -c /etc/snort/snort.conf -i eth1
-c    provide snort configuration file path
-i     interface on which Snort is sniffing the traffic

Output shown in above figure is seen when the Snort command is successful.

Modify syslog configuration file
                 /etc/rsyslog.conf
by adding line
*.*                                                     @172.16.232.161:514
where 172.16.232.161 is the Syslog Server IP Address and UDP/514 is the port on which it is listening.
*.* says log all types of alerts.

To make sure that Syslog Server is running on UDP/514 port uncomment below lines in the configuration file
$ModLoad imudp.so
$UDPServerRun 514
Above lines are commented by default.

Once the modified configuration is saved restart the Syslog daemon
 /etc/rc.d/init.d/rsyslog restart

Make sure to stop firewall or add rule to allow traffic on UDP/514 port.

When we send malicious payload or replay PCAP with malicious traffic on the interface where snort is running, we can see alerts in our Kiwi Syslog Server which is installed on Windows XP machine (172.16.232.161).

Below is the Packet Capture format when Snort sends alerts to Syslog Server.

Refer Snort Manual and/or Snort FAQ for further details.

For Snort Preprocessors you can refer below link
http://darshanams.blogspot.in/2010/06/snort-preprocessors-and-alerts.html

Hope this will help someone somewhere.

Following articles might be of your interest
http://darshanams.blogspot.in/2012/05/cain-and-abel-password-cracking.html
http://darshanams.blogspot.in/2011/09/portable-document-files.html
http://darshanams.blogspot.in/2010/09/forensics-1-extracting-image.html

Enjoy :) !!!

18 comments:

  1. Simple how to and works great, thanks for the lesson.

    ReplyDelete
  2. Hi Praveen ,

    I am very new to snort. DO you have any simple document to follow to install Snort on linux to send the logs to external logger like splunk.

    Regards
    Raj
    rajendrapanda@gmail.com

    ReplyDelete
  3. hi rajan....what is splunk? you need to configure output plugin accordingly in snort.conf file.
    Installation document can be found at
    http://snort.org/docs
    under "snort setup guides" section.

    Queries are most welcome.

    -Praveen

    ReplyDelete
  4. Praveen, can you please convert your explanation into figure.

    Because I am following everything each and every word you have explained here. But still I am not able to see snort logs at remote server where I am running syslogd with following option : "syslogd -m 0 -r".

    Find more details :

    192.168.0.89 : snort running here with "output alert_syslog: LOG_AUTH LOG_ALERT"

    syslogd has *.* @192.168.0.103

    192.168.0.103 : this is my remote server to catch snort logs

    192.168.0.103: here I am running "syslogd -m 0 -r"

    Where I am doing wrong?

    ReplyDelete
  5. Hi Pavan,

    You forgot binding port with IP Address e.g.
    *.* @192.168.0.103:514
    syslogd is running on TCP or UDP port?? Configure accordingly.
    Make sure you are able to ping from client to server and vice versa. Allow port on Firewall.

    ReplyDelete
  6. hello is it possible to have logs saved locally?

    ReplyDelete
  7. @Anonymous
    You can have two output plugins......one for syslog one for local file system or Data Base (DB) etc

    ReplyDelete
  8. Thanks for the response, Praveen! Just another quick one, do you know how I can enable the -s switch in the snortd file so that my daemons start logging automatically?

    ReplyDelete
  9. @Anonymous
    I don't have snort installed right now n' last used was sep'2012....."-k -A -N" switches will automatically log to screen.....i may be wrong

    ReplyDelete
  10. I am very new to snort.can u show where to put the host ip in the rsyslog.conf ??

    ReplyDelete
  11. Hello, i want to ask..
    kiwi syslog server can be run on linux OS?
    thanks before

    ReplyDelete
  12. @silver stein, i don't think you have Kiwi syslog server on Linux, by the way linuc by default comes with syslog just u need to enable the service

    ReplyDelete
  13. Most of the time I don’t make comments on websites, but I'd like to say that this article really forced me to do so. Really nice post! שרת וירטואלי

    ReplyDelete
  14. Thanks for taking the time to discuss this, I feel strongly about it and love learning more on this topic. traktor szállítás Europa-Road Kft

    ReplyDelete