Failed get log from snort v3 to Wazuh
389 views
Skip to first unread message
Phát Đặng Minh
Nov 30, 2023, 11:14:14 PM11/30/23
to Wazuh | Mailing List
Dear team,
I have a problem when get the log from Snort3 to Wazuh. I have some the log on the location as: /var/log/syslog, /var/log/auth.log,.. however I don't received any the log in location: /var/log/snort.
I have some configure as below:
Wazuh:
<!-- snort -->
<localfile>
<log_format>snort-full</log_format>
<location>/var/log/snort/*</location>
</localfile>
<localfile>
<log_format>snort-full</log_format>
<location>/var/log/snort/*</location>
</localfile>
Snort:
7. configure outputs
---------------------------------------------------------------------------
-- you can enable with defaults from the command line with -A <alert_type>
alert_fast = {file = true,
packet = false,
limit =10,
}
---------------------------------------------------------------------------
-- you can enable with defaults from the command line with -A <alert_type>
alert_fast = {file = true,
packet = false,
limit =10,
}
run service:
snort -c /usr/local/etc/snort/snort.lua -s 65535 -k none -A alert_fast -l /var/log/snort -D -u snort -g snort -i ens33 -m 0x1b --create-pidfile
Please help me to solve this problem, Thank your for your support.
Have a nice day.
Best regards!
suricata
Dec 1, 2023, 1:34:08 AM12/1/23
to Wazuh | Mailing List
Hí,
Have you created the decoder and the rules?
Md. Nazmur Sakib
Dec 1, 2023, 3:23:22 AM12/1/23
to Wazuh | Mailing List
Hi Phát Đặng Minh,
Hope you are doing well. Thank you for using Wazuh.
If you are not setting snort log on
/var/log/snort folder in the endpoint where snort is installed. I think the issue is with your snort configuration.
recheck the configuration of snort
http://manual-snort-org.s3-website-us-east-1.amazonaws.com/node15.html
Check this document for a guideline for snort log in Wazuh.
Let me know if you still face any issue.
Regards
Md. Nazmur Sakib
Phát Đặng Minh
Dec 5, 2023, 5:25:44 AM12/5/23
to Wazuh | Mailing List
Hi Suricata,
Thank you for your support.
I using the default decoders and the default rules.
Vào lúc 13:34:08 UTC+7 ngày Thứ Sáu, 1 tháng 12, 2023, suricata đã viết:
Phát Đặng Minh
Dec 5, 2023, 5:47:16 AM12/5/23
to Wazuh | Mailing List
Hi
Nazmur Sakib,
Sorry for the late reply.
Thank you for your response.
I have configure as guideline, however it seems that wazuh still not get snort log on /var/log/snort:
Wazuh Agent on Snort (/var/ossec/etc/ossec.conf):
<!-- snort -->
<localfile>
<log_format>snort-full</log_format>
<localfile>
<log_format>snort-full</log_format>
<location>/var/log/snort/alert_fast.txt</location>
</localfile>
</localfile>
Configures outputs on Snort version 3:
Vào lúc 15:23:22 UTC+7 ngày Thứ Sáu, 1 tháng 12, 2023, Md. Nazmur Sakib đã viết:
Black_file
Jan 11, 2024, 7:59:47 AM1/11/24
to Wazuh | Mailing List
Hello,
The problem came from the new snort3 log format now it's like this:
01/11-11:41:21.699169 [**] [1:1421:19] "PROTOCOL-SNMP AgentX/tcp request" [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 192.168.244.41:46764 -> 192.168.244.195:705
On Snort2 alert was like this:
[**] [1:1421:19] "PROTOCOL-SNMP AgentX/tcp request" [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 192.168.244.41:46764 -> 192.168.244.195:705
It need to modify or create a new decoder to take in count date and time.
Reply all
Reply to author
Forward
0 new messages