Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

How to view snort log files

Tags:

logging

snort

I have been working with snort-IDS. I have got some log files at /var/log/snort. The files are of type snort.log.xxxx. How do i view this file???

like image 645
M.S Balagopal Avatar asked Aug 13 '10 13:08

M.S Balagopal

People also ask

How do I access snort logs?

You can read as a normal capture file: You can use wireshark , tshark -r , tcpdump -r , or even re-inject them in snort with snort -r . "Native" snort format. You can read it with u2spewfoo <file> (included in snort), or convert it to a pcap with u2boat .

Where are snort alerts stored?

After a default installation and without any specific output plugins enabled, Snort logs all alerts to a file named Alert in the default log directory /var/log/snort.

4 Answers

Actually, you can read them in the commandline or terminal like snort -r xx.log.xxx$.For details, referring to the manual of snort.

like image 167
Kinka Avatar answered Oct 03 '22 21:10

Kinka

I will reopen this question trying to merge the others answers, since I think that they are not properly explained.

  1. Guess snort.log.xxx file type

Snort could have output you two kind of output file format depending on snort output plugin option for that files: tcpdump pcap and snort's unified2. In order to know what kind are your files, use the unix file command.

It will tell you tcpdump capture file (goto 2) or data (goto 3).

  1. tcpdump

You can read as a normal capture file: You can use wireshark, tshark -r, tcpdump -r, or even re-inject them in snort with snort -r.

  1. Unified2

"Native" snort format. You can read it with u2spewfoo <file> (included in snort), or convert it to a pcap with u2boat.

If you want to transform it to another alert system (syslog, for example), you can use barnyard2. Barnyard2 is a simple tool, but configuration is a little bit complex, so tell me if you need more information!

Barnyard2 is also capable to transform it "continuously", i.e., the previous tools are one short: they print/convert one file one time, and the exit. Barnyard2 is able to monitor snort log directory and process events at the time they are produced by snort.

  1. More info

The unified2 format is used because snort old unique thread design. The time snort spend waiting syslog, screen, etc. to ACK alert is time that snort is not using to analyze packets. So, the way was to dump then in a efficient binary format, and let another program (maybe with low CPU priority) to process them.

like image 26
eugenioperez Avatar answered Oct 03 '22 19:10

eugenioperez

Assuming they are logged in binary PCAP format, then Wireshark is your friend.

like image 4
Kumba Avatar answered Oct 03 '22 20:10

Kumba

 
sudo tcpdump -r snort.log.XXXX

Will output it to your screen. Use tcpdump since they are in pcap format.

like image 2
Pumphouse Avatar answered Oct 03 '22 20:10

Pumphouse
Sign in to Comment

Related questions

Can I retrieve an SVN Log from a local copy?
Any logging framework for Portable Class Library?
Why is the exception stack trace not logged in? [duplicate]
Why would one use ELMAH if the application is using NLog
How to debug Spring AOP
Different logging levels for filehandler and display in Python
Printing thread name using java.util.logging
log4j:ERROR A "org.apache.log4j.ConsoleAppender" object is not assignable to a "org.apache.log4j.Appender" variable
ServiceCollection does not contain a definition from "AddLogging"
python logging alternatives [closed]
C++ macro to log every line of code
Should unit tests use logging?
Unique log file for each instance of class
Python: how to suppress logging statements from third party libraries? [duplicate]
Disable log4j output during unit-tests
Log4Net Multiple loggers
What's the correct way to write to the script console (console.log) in IE?
logrotate suffix: dateext + rotate
How to log maven output to a file and without hiding console?
Boost logger linking issue

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!