0

我似乎无法停止记录到 syslog(特别是 auth.log)。据我所知,它似乎表现得好像我正在使用-s参数或output alert_syslog: LOG_AUTH LOG_ALERT在配置中运行。

我正在运行用 编译的 snort 2.9.7.0 ./configure --enable-reload,除非我缺少一些隐藏选项,否则我会告诉它以统一 2 的形式登录到 merge.log,而不是其他地方。

snort@snort:~$ ps -ef | grep snort
snort     7524     1  1 18:15 ?        00:00:00 /usr/bin/snort -c /etc/snort/snort.conf -i bond0.566 -l /var/log/snort/bond0.566 -D

snort@snort:~$ grep -R '^output' /etc/snort
/etc/snort/snort.conf:output unified2: filename merged.log, limit 128, mpls_event_types, vlan_event_types

这是我看到的一些日志

snort@snort:~$ tail -n 10 /var/log/auth.log
Feb 10 18:31:15 snort.example.com snort[32353]: [119:31:1] http_inspect: UNKNOWN METHOD [Classification: Unknown Traffic] [Priority: 3]: <bond0.566> {TCP} xxx.xxx.xxx.xxx:32271 -> xxx.xxx.xxx.xxx:80
Feb 10 18:31:15 snort.example.com snort[32353]: [119:31:1] http_inspect: UNKNOWN METHOD [Classification: Unknown Traffic] [Priority: 3]: <bond0.566> {TCP} xxx.xxx.xxx.xxx:32271 -> xxx.xxx.xxx.xxx:80
Feb 10 18:31:15 snort.example.com snort[32353]: [129:12:1] stream5: TCP Small Segment Threshold Exceeded [Classification: Potentially Bad Traffic] [Priority: 2]: <bond0.566> {TCP} xxx.xxx.xxx.xxx:56534 -> xxx.xxx.xxx.xxx:443
Feb 10 18:31:15 snort.example.com snort[32353]: [129:12:1] stream5: TCP Small Segment Threshold Exceeded [Classification: Potentially Bad Traffic] [Priority: 2]: <bond0.566> {TCP} xxx.xxx.xxx.xxx:56534 -> xxx.xxx.xxx.xxx:443
Feb 10 18:31:15 snort.example.com snort[32353]: [129:12:1] stream5: TCP Small Segment Threshold Exceeded [Classification: Potentially Bad Traffic] [Priority: 2]: <bond0.566> {TCP} xxx.xxx.xxx.xxx:53271 -> xxx.xxx.xxx.xxx:443
Feb 10 18:31:15 snort.example.com snort[32353]: [129:12:1] stream5: TCP Small Segment Threshold Exceeded [Classification: Potentially Bad Traffic] [Priority: 2]: <bond0.566> {TCP} xxx.xxx.xxx.xxx:53271 -> xxx.xxx.xxx.xxx:443
Feb 10 18:31:15 snort.example.com snort[32353]: [129:5:1] stream5: Bad segment, overlap adjusted size less than/equal 0 [Classification: Potentially Bad Traffic] [Priority: 2]: <bond0.566> {TCP} xxx.xxx.xxx.xxx:53271 -> xxx.xxx.xxx.xxx:443
Feb 10 18:31:15 snort.example.com snort[32353]: [129:5:1] stream5: Bad segment, overlap adjusted size less than/equal 0 [Classification: Potentially Bad Traffic] [Priority: 2]: <bond0.566> {TCP} xxx.xxx.xxx.xxx:53271 -> xxx.xxx.xxx.xxx:443
Feb 10 18:31:15 snort.example.com snort[32353]: [129:12:1] stream5: TCP Small Segment Threshold Exceeded [Classification: Potentially Bad Traffic] [Priority: 2]: <bond0.566> {TCP} xxx.xxx.xxx.xxx:2443 -> xxx.xxx.xxx.xxx:80
Feb 10 18:31:15 snort.example.com snort[32353]: [129:12:1] stream5: TCP Small Segment Threshold Exceeded [Classification: Potentially Bad Traffic] [Priority: 2]: <bond0.566> {TCP} xxx.xxx.xxx.xxx:2443 -> xxx.xxx.xxx.xxx:80

这些警报中的大多数都是垃圾,我稍后会过滤掉,警报本身不会打扰我,让我烦恼的是他们要去 auth.log 并且我不知道为什么。

4

1 回答 1

0

我会检查以确保 snort 实际上是生成这些日志的负责进程。我见过barnyard2出现在日志中的情况,就好像它正在生成日志一样,这会让任何人失望。在 /etc/barnyard2.conf 或任何您的配置文件中,您可能会看到一行告诉您向 syslog 发送警报,就像这样:

output alert_syslog: LOG_AUTH LOG_INFO

您需要编辑该行,以便 barnyard2 将记录您想要的方式。

于 2015-02-13T19:57:39.290 回答