【发布时间】:2015-02-10 18:47:42
【问题描述】:
我似乎无法让 snort 停止记录到 syslog(特别是 auth.log)。据我所知,它似乎正在运行,就好像我正在使用 -s 参数或配置中的 output alert_syslog: LOG_AUTH LOG_ALERT 运行。
我正在运行使用 ./configure --enable-reload 编译的 snort 2.9.7.0,除非我缺少某些隐藏选项,否则我会告诉它以统一 2 的身份登录到 merge.log,而不是其他地方。
snort@snort:~$ ps -ef | grep snort
snort 7524 1 1 18:15 ? 00:00:00 /usr/bin/snort -c /etc/snort/snort.conf -i bond0.566 -l /var/log/snort/bond0.566 -D
snort@snort:~$ grep -R '^output' /etc/snort
/etc/snort/snort.conf:output unified2: filename merged.log, limit 128, mpls_event_types, vlan_event_types
这是我看到的一些日志
snort@snort:~$ tail -n 10 /var/log/auth.log
Feb 10 18:31:15 snort.example.com snort[32353]: [119:31:1] http_inspect: UNKNOWN METHOD [Classification: Unknown Traffic] [Priority: 3]: <bond0.566> {TCP} xxx.xxx.xxx.xxx:32271 -> xxx.xxx.xxx.xxx:80
Feb 10 18:31:15 snort.example.com snort[32353]: [119:31:1] http_inspect: UNKNOWN METHOD [Classification: Unknown Traffic] [Priority: 3]: <bond0.566> {TCP} xxx.xxx.xxx.xxx:32271 -> xxx.xxx.xxx.xxx:80
Feb 10 18:31:15 snort.example.com snort[32353]: [129:12:1] stream5: TCP Small Segment Threshold Exceeded [Classification: Potentially Bad Traffic] [Priority: 2]: <bond0.566> {TCP} xxx.xxx.xxx.xxx:56534 -> xxx.xxx.xxx.xxx:443
Feb 10 18:31:15 snort.example.com snort[32353]: [129:12:1] stream5: TCP Small Segment Threshold Exceeded [Classification: Potentially Bad Traffic] [Priority: 2]: <bond0.566> {TCP} xxx.xxx.xxx.xxx:56534 -> xxx.xxx.xxx.xxx:443
Feb 10 18:31:15 snort.example.com snort[32353]: [129:12:1] stream5: TCP Small Segment Threshold Exceeded [Classification: Potentially Bad Traffic] [Priority: 2]: <bond0.566> {TCP} xxx.xxx.xxx.xxx:53271 -> xxx.xxx.xxx.xxx:443
Feb 10 18:31:15 snort.example.com snort[32353]: [129:12:1] stream5: TCP Small Segment Threshold Exceeded [Classification: Potentially Bad Traffic] [Priority: 2]: <bond0.566> {TCP} xxx.xxx.xxx.xxx:53271 -> xxx.xxx.xxx.xxx:443
Feb 10 18:31:15 snort.example.com snort[32353]: [129:5:1] stream5: Bad segment, overlap adjusted size less than/equal 0 [Classification: Potentially Bad Traffic] [Priority: 2]: <bond0.566> {TCP} xxx.xxx.xxx.xxx:53271 -> xxx.xxx.xxx.xxx:443
Feb 10 18:31:15 snort.example.com snort[32353]: [129:5:1] stream5: Bad segment, overlap adjusted size less than/equal 0 [Classification: Potentially Bad Traffic] [Priority: 2]: <bond0.566> {TCP} xxx.xxx.xxx.xxx:53271 -> xxx.xxx.xxx.xxx:443
Feb 10 18:31:15 snort.example.com snort[32353]: [129:12:1] stream5: TCP Small Segment Threshold Exceeded [Classification: Potentially Bad Traffic] [Priority: 2]: <bond0.566> {TCP} xxx.xxx.xxx.xxx:2443 -> xxx.xxx.xxx.xxx:80
Feb 10 18:31:15 snort.example.com snort[32353]: [129:12:1] stream5: TCP Small Segment Threshold Exceeded [Classification: Potentially Bad Traffic] [Priority: 2]: <bond0.566> {TCP} xxx.xxx.xxx.xxx:2443 -> xxx.xxx.xxx.xxx:80
这些警报中的大多数都是垃圾,我稍后会过滤掉,警报本身不会打扰我,让我烦恼的是它们会进入 auth.log,我不知道为什么。
【问题讨论】:
-
这些都是警报的解码器和预处理器规则 (manual.snort.org/node18.html)。您在 snort.conf 中有选项“disable_decode_alerts”吗?如果不是,如果您希望警报停止,您想尝试添加它。不过,我仍然不能 100% 确定为什么这些会向 syslog 发出警报,据我所知,它们仍应像正常规则一样被记录。
-
我的配置中有“config disable_decode_alerts”。现在我使用的配置是来自 2.9.7.0 tar.gz 的大约 99% 的库存。基本上我更改了一些 ipvar 和路径变量,并启用了 Unified2 日志记录。
-
只是仔细检查,但是 ps 输出中的 pid 与日志中的 pid 不同,这仅仅是因为重新启动了 snort 并且日志消息来自较新的进程吗?否则还有另一个 snort 进程正在运行,它不在 ps 输出中?
-
是的,抱歉,只是重新启动进程。很好的收获。
标签: logging configuration syslog snort