Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Hi all!
First of all, I looked for answers in other posts but I couldn't find the exact answer for my questions, so, being a well known ignorant, I'll post a new thread.
Finally, I've been able to set-up snort properly.
Here comes the first question:
I set up a snortalert.log files where all the alerts go, and this works but my /var/log/snort/ fills up with snort-nnnn@nnnn.log What are these? I tried to see them but they looks binary.
Here comes the second question:
In my network setup, eth0 is linked to an ethernet switch for LAN purpose and eth1 is linked to a ADSL modem. I connect using ppp.
Should I monitor eth1 or ppp0?
my /var/log/snort/ fills up with snort-nnnn@nnnn.log What are these? I tried to see them but they looks binary.
Try "file snort-nnnn@nnnn.log". If it says "tcpdump", then you can read them with "tcpdump -r <file>". If it says "8086 relocatable", then it's Snort's Unified binary logging format files, and you can read them with Barnyard (see snort.org / download / contrib / barnyard).
Using Snort unified logging is faster than logging ASCII, cuz it doesn't need to do stuff like interprete alerts and write them, resolve addresses etc etc. If you have troubles automating Barnyard usage, let me know, it's simple to script and hook up with cron or logrotate or whatever else.
Should I monitor eth1 or ppp0?
Depends on what you want to log. Go wild. Log 'em all.
Check out the LQ FAQ: Security references, post #3, under "Snort on two interfaces" for solutions and caveats.
Before I start worrying... (I'm at work now and I can't check), do the snort binary log files contain sensitive data? I mean, if I need to understand if something went wrong, should I trust the human-readable alert file?
Thank you
Before I start worrying... (I'm at work now and I can't check), do the snort binary log files contain sensitive data?
It contains the logged packets' contents, yes.
I mean, if I need to understand if something went wrong, should I trust the human-readable alert file?
What do you mean by "trust"? I mean, what you get depends on how much info you log in your human-readable alert file. Still, it's parsed data, meaning you can't refilter or work on the data itself.
Binary format can produce both tcpdumps and human-readable alerts.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.