Why are my Snort logs empty?

2019-08-04 08:15发布

问题:

I am running macOS Sierra 10.12.3

$ sw_vers
ProductName:    Mac OS X
ProductVersion: 10.12.3
BuildVersion:   16D32

I have installed snort using homebrew

$ brew install snort
$ brew ls --versions snort
snort 2.9.9.0

I am running snort and with a user config file, -s syslog switch, and a tcpdump-file

$ sudo snort -c /etc/snort/snort.conf -s -r tcpdump.pcap

my /etc/snort/snort.conf file has the following output settings:

output alert_syslog: LOG_AUTH LOG_ALERT

When I execute,a blank file gets created at /var/log/snort/snort.log.1489953549

I know that my rules are working, because if I execute snort with an alert-mode of fast

$ sudo snort -c /etc/snort/snort.conf -A fast -r tcpdump.pcap

a new blank /var/log/snort/snort.log.1489954258 is created, but a /var/log/snort/alert log file is also created, which contains the correct alert outputs.

I have seen others run into this issue because of permissions, but I don't believe that is my problem given that I am running snort as sudo and it is able to write to the alert log just fine.

I also do not have $NO_PACKET_LOG as far as I can tell. reference

It looks like brew installed some default snort config files under /usr/local/etc/snort, but I don't think that these are affecting me because I am using the -c switch to supply a user config file.

DISCLAIMER: This is my first time using snort, so it could be something very obvious that I am missing. Any and all help is much appreciated.

回答1:

TL;DR
Use tcpdump, snort, tshark, or Wireshark to read snort log files (how to view snort log files)

$ sudo tcpdump -r snort.log.1489953549 

My empty log file was never actually empty (note file sizes from ls)

$ ls -ltr /var/log/snort/
-rw-------  1 root  admin   56018718 Mar 19 15:03 snort.log.1489954258
-rw-------  1 root  admin   56018718 Mar 19 15:11 snort.log.1489953549
-rw-r--r--  1 root  admin   70202224 Mar 19 15:11 alert

Snort log files must be read using the correct application

What type of file is it?

$ sudo file snort.log.1489953549
snort.log.1489953549: tcpdump capture file (little-endian) - version 2.4 (Ethernet, capture length 1514)

Read the file with tcpdump

$ sudo tcpdump -r snort.log.1489954258
06:54:16.654692 IP 192.168.5.81.amt-blc-port > 100.100.100.212.6667: Flags [P.], seq 1304973037:1304973067, ack 1425084530, win 8011, options [nop,nop,TS val 14215752 ecr 2196036272], length 30
...