Help me with Collect Snort Logs and ALert on Wazuh (Do we have to make rules? decode?)

3,108 views
Skip to first unread message

Khoa Phạm Anh

unread,
Jun 12, 2018, 12:16:54 PM6/12/18
to Wazuh mailing list
Hi all,
I have config snort to output csv file such as : /var/log/snort-pakjack.log with msg,timestamp,srcip,dstip
And this is my local.rules.xml of wazuh
This is my local.decoder.xml in wazuh


And in ossec.conf of Snort i have configured this to collect logs

But when I get from archives.log, i have no Alert Information from Snort.
Anyone help me this case please? :(

Auto Generated Inline Image 1
Auto Generated Inline Image 2
Auto Generated Inline Image 3

miguel....@wazuh.com

unread,
Aug 14, 2018, 8:54:41 AM8/14/18
to Wazuh mailing list
Hi Khoa,

First of all, sorry for the late response.

Wazuh has his own decoder for Snort which extracts the fields you are searching: srcip, dstip, and id. The decoders and rules for Snort are located in /var/ossec/ruleset/decoders/0285-snort_decoders.xml and /var/ossec/ruleset/rules/0240-ids_rules.xml because it is classified as ids rules.

In order to collect those events from Snort, it is necessary to specify in <localfile> the correct format with <log_format>. In this case, there are two valid formats: snort-full and snort-fast that are used for Snort´s full-output format and Snort´s fast-output format respectively. 

You can see all the valid formats for <log_format> in the following link: https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/localfile.html?highlight=localfile#log-format

In your case, you can use the following example to collect logs from Snort:

  1. Configure in ossec.conf the path where is collecting the logs from Snort indicating the desired format. In my case /var/log/snort.log and snort-full:
   <log_format>snort-full</log_format>
    <location>/var/log/snort.log</location>
   </localfile>


       2. Restart ossec-control:

      /var/ossec/bin/ossec-control restart


       3. Finnaly, you can check the alerts in the Manager:

** Alert 1534249527.62500: - ids,fts,
2018 Aug 14 14:25:27 (ubuntu-VirtualBox) any->/var/log/snort.log
Rule: 20100 (level 8) -> 'First time this IDS alert is generated.'
Src IP: 192.168.20
Dst IP: 192.168.20.2
[**] [1:1882:10] ATTACK-RESPONSES id check returned userid [**] [Classification: Potentially Bad Traffic] [Priority: 2] {UDP} 192.168.20.32 -> 192.168.20.2


I hope this helps you.

Best regards,

Miguel Casares
Reply all
Reply to author
Forward
0 new messages