Snort logging mode – How to define subnets

loggingsnort

I am using snort to log all traffic on an interface

snort -i eth1 -l /interface/log/dir -b -U -m 112

With this command I manage to get ALL data which makes my log files very large.

Is there any way to tell snort only to output packets which come from or go to a certain list of subnets? (More than one)

Best Answer

Look at /etc/snort/snort.conf

You can define your home and external nets. Home nets are being ignored while external nets are being processed.

var HOME_NET [10.1.1.0/24,192.168.1.0/24]

you can easily extend this lists.

Afer you have defined your sensible and home nets, you can exclude rules you don't use or don't need to monitor.

include $RULE_PATH/local.rules
include $RULE_PATH/bad-traffic.rules
include $RULE_PATH/exploit.rules
include $RULE_PATH/community-exploit.rules
include $RULE_PATH/scan.rules
include $RULE_PATH/finger.rules
# include $RULE_PATH/ftp.rules
include $RULE_PATH/telnet.rules

Just uncomment the rules you don't need.

Related Solutions

Log tcpdump Output

Instead of logging all traffic, I would suggest the following: Monitor the number of packets sent to your server. If it exceeds a certain threshold, log a couple of 1000 packets, then wait for a longer time.

That packet trace should contain plenty of information which can be used for analysis. Also, it will not impose too much additional load on your server while everything is fine. You could use the following hacked together bash code as a starting point (could be started in screen, for example):

interface=eth0
dumpdir=/tmp/

while /bin/true; do
  pkt_old=`grep $interface: /proc/net/dev | cut -d :  -f2 | awk '{ print $2 }'`
  sleep 1
  pkt_new=`grep $interface: /proc/net/dev | cut -d :  -f2 | awk '{ print $2 }'`

  pkt=$(( $pkt_new - $pkt_old ))
  echo -ne "\r$pkt packets/s\033[0K"

  if [ $pkt -gt 5000 ]; then
    echo -e "\n`date` Under attack, dumping packets."
    tcpdump -n -s0 -c 2000 -w $dumpdir/dump.`date +"%Y%m%d-%H%M%S"`.cap
    echo "`date` Packets dumped, sleeping now."
    sleep 300
  fi
done

Feel free to adapt it to your needs.

Centos – Snort: not logging anything

As long as the Snort daemon is running the problem that generally causes this behavior is usually one of three things:

Missing rule set, does not appear to apply here.
Interface not configured correctly (listening on inside interface, not external monitor port)
External interface not connected via a tap (if you are monitoring other hosts).

My best guess at this point is that probably need to specify the interface to the daemon differently. Unless you are actually using a bonded interface (not mentioned in your question) that would be the first place I would look.

Best Answer

Related Solutions

Log tcpdump Output

Centos – Snort: not logging anything

Related Topic