如何让 snort 停止向 auth.log 发出警报?
How do I make snort stop alerting to auth.log?
我似乎无法让 snort 停止记录到 syslog(特别是 auth.log)。据我所知,它似乎表现得好像我是 运行 -s 参数或配置中的 output alert_syslog: LOG_AUTH LOG_ALERT。
我是 运行 使用 ./configure --enable-reload 编译的 snort 2.9.7.0,除非我遗漏了一些隐藏选项,否则我会告诉它登录到 merged.log作为 unified2,没有其他地方。
snort@snort:~$ ps -ef | grep snort
snort 7524 1 1 18:15 ? 00:00:00 /usr/bin/snort -c /etc/snort/snort.conf -i bond0.566 -l /var/log/snort/bond0.566 -D
snort@snort:~$ grep -R '^output' /etc/snort
/etc/snort/snort.conf:output unified2: filename merged.log, limit 128, mpls_event_types, vlan_event_types
这是我看到的一些日志
snort@snort:~$ tail -n 10 /var/log/auth.log
Feb 10 18:31:15 snort.example.com snort[32353]: [119:31:1] http_inspect: UNKNOWN METHOD [Classification: Unknown Traffic] [Priority: 3]: <bond0.566> {TCP} xxx.xxx.xxx.xxx:32271 -> xxx.xxx.xxx.xxx:80
Feb 10 18:31:15 snort.example.com snort[32353]: [119:31:1] http_inspect: UNKNOWN METHOD [Classification: Unknown Traffic] [Priority: 3]: <bond0.566> {TCP} xxx.xxx.xxx.xxx:32271 -> xxx.xxx.xxx.xxx:80
Feb 10 18:31:15 snort.example.com snort[32353]: [129:12:1] stream5: TCP Small Segment Threshold Exceeded [Classification: Potentially Bad Traffic] [Priority: 2]: <bond0.566> {TCP} xxx.xxx.xxx.xxx:56534 -> xxx.xxx.xxx.xxx:443
Feb 10 18:31:15 snort.example.com snort[32353]: [129:12:1] stream5: TCP Small Segment Threshold Exceeded [Classification: Potentially Bad Traffic] [Priority: 2]: <bond0.566> {TCP} xxx.xxx.xxx.xxx:56534 -> xxx.xxx.xxx.xxx:443
Feb 10 18:31:15 snort.example.com snort[32353]: [129:12:1] stream5: TCP Small Segment Threshold Exceeded [Classification: Potentially Bad Traffic] [Priority: 2]: <bond0.566> {TCP} xxx.xxx.xxx.xxx:53271 -> xxx.xxx.xxx.xxx:443
Feb 10 18:31:15 snort.example.com snort[32353]: [129:12:1] stream5: TCP Small Segment Threshold Exceeded [Classification: Potentially Bad Traffic] [Priority: 2]: <bond0.566> {TCP} xxx.xxx.xxx.xxx:53271 -> xxx.xxx.xxx.xxx:443
Feb 10 18:31:15 snort.example.com snort[32353]: [129:5:1] stream5: Bad segment, overlap adjusted size less than/equal 0 [Classification: Potentially Bad Traffic] [Priority: 2]: <bond0.566> {TCP} xxx.xxx.xxx.xxx:53271 -> xxx.xxx.xxx.xxx:443
Feb 10 18:31:15 snort.example.com snort[32353]: [129:5:1] stream5: Bad segment, overlap adjusted size less than/equal 0 [Classification: Potentially Bad Traffic] [Priority: 2]: <bond0.566> {TCP} xxx.xxx.xxx.xxx:53271 -> xxx.xxx.xxx.xxx:443
Feb 10 18:31:15 snort.example.com snort[32353]: [129:12:1] stream5: TCP Small Segment Threshold Exceeded [Classification: Potentially Bad Traffic] [Priority: 2]: <bond0.566> {TCP} xxx.xxx.xxx.xxx:2443 -> xxx.xxx.xxx.xxx:80
Feb 10 18:31:15 snort.example.com snort[32353]: [129:12:1] stream5: TCP Small Segment Threshold Exceeded [Classification: Potentially Bad Traffic] [Priority: 2]: <bond0.566> {TCP} xxx.xxx.xxx.xxx:2443 -> xxx.xxx.xxx.xxx:80
大多数这些警报都是垃圾,我稍后会过滤掉,警报本身不会打扰我,让我感到困扰的是它们会 auth.log 而我不明白为什么。
我会检查以确保 snort 实际上是生成这些日志的负责进程。我见过 barnyard2 出现在日志中的情况,就好像它是 snort 生成日志一样,这会让任何人失望。在 /etc/barnyard2.conf 或任何你的配置文件中,你可能会看到一行告诉你向系统日志发送警报,就像这样:
output alert_syslog: LOG_AUTH LOG_INFO
您需要编辑该行,以便 barnyard2 记录您想要的内容。
我似乎无法让 snort 停止记录到 syslog(特别是 auth.log)。据我所知,它似乎表现得好像我是 运行 -s 参数或配置中的 output alert_syslog: LOG_AUTH LOG_ALERT。
我是 运行 使用 ./configure --enable-reload 编译的 snort 2.9.7.0,除非我遗漏了一些隐藏选项,否则我会告诉它登录到 merged.log作为 unified2,没有其他地方。
snort@snort:~$ ps -ef | grep snort
snort 7524 1 1 18:15 ? 00:00:00 /usr/bin/snort -c /etc/snort/snort.conf -i bond0.566 -l /var/log/snort/bond0.566 -D
snort@snort:~$ grep -R '^output' /etc/snort
/etc/snort/snort.conf:output unified2: filename merged.log, limit 128, mpls_event_types, vlan_event_types
这是我看到的一些日志
snort@snort:~$ tail -n 10 /var/log/auth.log
Feb 10 18:31:15 snort.example.com snort[32353]: [119:31:1] http_inspect: UNKNOWN METHOD [Classification: Unknown Traffic] [Priority: 3]: <bond0.566> {TCP} xxx.xxx.xxx.xxx:32271 -> xxx.xxx.xxx.xxx:80
Feb 10 18:31:15 snort.example.com snort[32353]: [119:31:1] http_inspect: UNKNOWN METHOD [Classification: Unknown Traffic] [Priority: 3]: <bond0.566> {TCP} xxx.xxx.xxx.xxx:32271 -> xxx.xxx.xxx.xxx:80
Feb 10 18:31:15 snort.example.com snort[32353]: [129:12:1] stream5: TCP Small Segment Threshold Exceeded [Classification: Potentially Bad Traffic] [Priority: 2]: <bond0.566> {TCP} xxx.xxx.xxx.xxx:56534 -> xxx.xxx.xxx.xxx:443
Feb 10 18:31:15 snort.example.com snort[32353]: [129:12:1] stream5: TCP Small Segment Threshold Exceeded [Classification: Potentially Bad Traffic] [Priority: 2]: <bond0.566> {TCP} xxx.xxx.xxx.xxx:56534 -> xxx.xxx.xxx.xxx:443
Feb 10 18:31:15 snort.example.com snort[32353]: [129:12:1] stream5: TCP Small Segment Threshold Exceeded [Classification: Potentially Bad Traffic] [Priority: 2]: <bond0.566> {TCP} xxx.xxx.xxx.xxx:53271 -> xxx.xxx.xxx.xxx:443
Feb 10 18:31:15 snort.example.com snort[32353]: [129:12:1] stream5: TCP Small Segment Threshold Exceeded [Classification: Potentially Bad Traffic] [Priority: 2]: <bond0.566> {TCP} xxx.xxx.xxx.xxx:53271 -> xxx.xxx.xxx.xxx:443
Feb 10 18:31:15 snort.example.com snort[32353]: [129:5:1] stream5: Bad segment, overlap adjusted size less than/equal 0 [Classification: Potentially Bad Traffic] [Priority: 2]: <bond0.566> {TCP} xxx.xxx.xxx.xxx:53271 -> xxx.xxx.xxx.xxx:443
Feb 10 18:31:15 snort.example.com snort[32353]: [129:5:1] stream5: Bad segment, overlap adjusted size less than/equal 0 [Classification: Potentially Bad Traffic] [Priority: 2]: <bond0.566> {TCP} xxx.xxx.xxx.xxx:53271 -> xxx.xxx.xxx.xxx:443
Feb 10 18:31:15 snort.example.com snort[32353]: [129:12:1] stream5: TCP Small Segment Threshold Exceeded [Classification: Potentially Bad Traffic] [Priority: 2]: <bond0.566> {TCP} xxx.xxx.xxx.xxx:2443 -> xxx.xxx.xxx.xxx:80
Feb 10 18:31:15 snort.example.com snort[32353]: [129:12:1] stream5: TCP Small Segment Threshold Exceeded [Classification: Potentially Bad Traffic] [Priority: 2]: <bond0.566> {TCP} xxx.xxx.xxx.xxx:2443 -> xxx.xxx.xxx.xxx:80
大多数这些警报都是垃圾,我稍后会过滤掉,警报本身不会打扰我,让我感到困扰的是它们会 auth.log 而我不明白为什么。
我会检查以确保 snort 实际上是生成这些日志的负责进程。我见过 barnyard2 出现在日志中的情况,就好像它是 snort 生成日志一样,这会让任何人失望。在 /etc/barnyard2.conf 或任何你的配置文件中,你可能会看到一行告诉你向系统日志发送警报,就像这样:
output alert_syslog: LOG_AUTH LOG_INFO
您需要编辑该行,以便 barnyard2 记录您想要的内容。