LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - General
User Name
Password
Linux - General This Linux forum is for general Linux questions and discussion.
If it is Linux Related and doesn't seem to fit in any other forum then this is the place.

Notices


Reply
  Search this Thread
Old 09-17-2015, 01:34 PM   #1
haim
LQ Newbie
 
Registered: Sep 2015
Posts: 2

Rep: Reputation: Disabled
Snort installed on ubuntu not sending alerts to syslog


I have a Magento website setup on a linux machine that is based on a Bitnami ready-made image.

The main goal is to be notified by email whenever there might be a potential attack on the site.

To achieve that I decided to install Snort IDS and email the alerts coming to the syslog using Swatch.

I've installed snort by following this tutorial from Snort's official website.

I've just finished section 9 of that tutorial which means:

Installed all the perquisites.
Installed Snort IDS on the machine.
Setup a test rule to alert when ICMP requests (ping) occurs.
Next to allow Snort to log alerts to syslog I've uncommented this line in the snort.conf file: output alert_syslog: LOG_AUTH LOG_ALERT

I've tested the installation by running this command:

sudo /usr/local/bin/snort -A console -q -u snort -g snort -c /etc/snort/snort.conf -i eth0
while Snort is running I've made a ping request from another system. I can see alerts registering in Snort's log file but nothing was added to the syslog.

Trail and errors:

1. Run snort as user root.
2. Set syslog to bounce logs to another server (remote syslog).

I don't have great deal of experience with linux so any help to point me to the right direction will be very much appreciated.

Some facts:
  1. Bitnami Magento Stack 1.9.1.0-0
  2. Ubuntu 14.04.3 LTS
  3. Snort 2.9.7.5
 
Old 09-19-2015, 05:13 AM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,393
Blog Entries: 55

Rep: Reputation: 3565Reputation: 3565Reputation: 3565Reputation: 3565Reputation: 3565Reputation: 3565Reputation: 3565Reputation: 3565Reputation: 3565Reputation: 3565Reputation: 3565
Quote:
Originally Posted by haim View Post
The main goal is to be notified by email whenever there might be a potential attack on the site.
First of all when you do receive the email (MTA or network outage, mailbox full etc, etc?) the event already happened, secondly if you're not close to or unable to use a computer or unable to log in (sleep, travel, weak cellular signal, low battery, wrong access lists, no SSH pubkey auth priv key on device) then the event has passed without action and when you finally access the machine you'd have to decipher the cryptic message Snort sent you and have enough relevant admin knowledge to know where to look. So that's why I'd say that's one of the most inefficient things to do. That said:


Quote:
Originally Posted by haim View Post
I've tested the installation by running this command:

sudo /usr/local/bin/snort -A console -q -u snort -g snort -c /etc/snort/snort.conf -i eth0
while Snort is running I've made a ping request from another system. I can see alerts registering in Snort's log file but nothing was added to the syslog.
Couple of things:
0) always pre-flight test using "-T",
1) don't use "-q" during any tests,
2) ensure Syslog, Rsyslogd or Syslog-NG is configured to log any LOG_AUTH and LOG_ALERT,
3) remove the "-A console" and try again.


Quote:
Originally Posted by haim View Post
I don't have great deal of experience with linux
Then you should get it: check your Linux distribution of choice user, admin and security documentation. Please don't postpone it saying you "don't have the time" because when you finally do it'll be too late...
 
1 members found this post helpful.
Old 09-22-2015, 03:16 AM   #3
haim
LQ Newbie
 
Registered: Sep 2015
Posts: 2

Original Poster
Rep: Reputation: Disabled
Its alive!!

Following unSpawn relay I've reviewed the rsyslog conf files and found that auth logs are sent to the auto.log file.
Which led to a quick fix of adding an additional .conf file to /etc/rsyslog.d with the content:
auth /var/log/syslog


Also as suggested I've made some changes to the snort execution command (omitting the -q -A console):
sudo /usr/local/bin/snort -u snort -g snort -c /etc/snort/snort.conf -i eth0


after restarting the rsyslog service I found the missing Snort alerts in syslog.

unSpawn thank you for pointing me to the right direction.
 
Old 09-22-2015, 07:32 AM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,393
Blog Entries: 55

Rep: Reputation: 3565Reputation: 3565Reputation: 3565Reputation: 3565Reputation: 3565Reputation: 3565Reputation: 3565Reputation: 3565Reputation: 3565Reputation: 3565Reputation: 3565
You're welcome, Please mark thread "solved", thanks.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
SNORT-2.9.4 Installed properly but NOT Logging ALERTS arunpushkar Linux - Security 5 02-21-2013 12:50 PM
Snort - no portscan and tcp alerts in snort av.dubey Linux - Software 6 07-11-2008 10:56 PM
snort alerts lord-fu Linux - Security 1 11-25-2005 04:28 PM
Snort Alerts ?? zahra79 Linux - Networking 5 06-22-2005 06:11 AM
Snort Alerts knight_ridda Linux - Security 13 06-21-2003 05:32 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - General

All times are GMT -5. The time now is 03:26 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration