How to view snort log files
Asked Answered
S

6

17

I have been working with snort-IDS. I have got some log files at /var/log/snort. The files are of type snort.log.xxxx. How do i view this file???

Slaughterhouse answered 13/8, 2010 at 13:8 Comment(0)
S
12

I will reopen this question trying to merge the others answers, since I think that they are not properly explained.

  1. Guess snort.log.xxx file type

Snort could have output you two kind of output file format depending on snort output plugin option for that files: tcpdump pcap and snort's unified2. In order to know what kind are your files, use the unix file command.

It will tell you tcpdump capture file (goto 2) or data (goto 3).

  1. tcpdump

You can read as a normal capture file: You can use wireshark, tshark -r, tcpdump -r, or even re-inject them in snort with snort -r.

  1. Unified2

"Native" snort format. You can read it with u2spewfoo <file> (included in snort), or convert it to a pcap with u2boat.

If you want to transform it to another alert system (syslog, for example), you can use barnyard2. Barnyard2 is a simple tool, but configuration is a little bit complex, so tell me if you need more information!

Barnyard2 is also capable to transform it "continuously", i.e., the previous tools are one shot: they print/convert one file one time, and the exit. Barnyard2 is able to monitor snort log directory and process events at the time they are produced by snort.

  1. More info

The unified2 format is used because snort old unique thread design. The time snort spend waiting syslog, screen, etc. to ACK alert is time that snort is not using to analyze packets. So, the way was to dump then in a efficient binary format, and let another program (maybe with low CPU priority) to process them.

Stymie answered 24/3, 2017 at 8:43 Comment(1)
In default configuration, u2spewfoo works like a charm for me while the other answers are either unwieldy or outright don't work. Platform: raspbian.Heretical
O
9

Actually, you can read them in the commandline or terminal like snort -r xx.log.xxx$.For details, referring to the manual of snort.

Oxytocic answered 26/2, 2012 at 9:34 Comment(0)
H
5

Assuming they are logged in binary PCAP format, then Wireshark is your friend.

Heydon answered 10/12, 2010 at 0:57 Comment(0)
S
3
sudo tcpdump -r snort.log.XXXX 

Will output it to your screen. Use tcpdump since they are in pcap format.

Serial answered 12/9, 2015 at 18:57 Comment(0)
P
1

Or you can use barnyard2 to read them if they are in unified2 format and dump the results into database.

Thats what I'm doing.

Punitive answered 14/2, 2014 at 9:13 Comment(1)
it would have been more useful if you posted how are you reading it since that is the actual question posted herePerlman
I
1

1.Bro first you have to move to the snort log folder.

$cd /var/log/snort

2.Now list the contents of the folder using the command below.

$ls

3.Then you can see files like(for example in my case) as below.

alert       tcpdump.log.67488231       tcpdump.log.56738523

4.Suppose if you are trying to open this "tcpdump.log.67488231" (tcpdump.log.67488231- this is a sample log file capture by my system. So in each of your case it must be different sequence number) file,you can not read the data inside the file.So in order to clearly read or understand what is inside the file, you can use following command.

$sudo tcpdump -r tcpdump.log.67488231

5.Now the file open and you can read the content.

                          OR

You can use the command below

$sudo snort -r snort.log.5637972

(snort.log.5637972 is the sample file you can find it inside the same snort log file( /var/log/snort). After starting snort as IDS mode we will get a file like this. In order to read this file use the above command)

Indelicate answered 22/8, 2022 at 6:34 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.