问题描述

我正在运行macOS Sierra 10.12.3

I am running macOS Sierra 10.12.3

$ sw_vers
ProductName:    Mac OS X
ProductVersion: 10.12.3
BuildVersion:   16D32

我已使用自制软件

$ brew install snort
$ brew ls --versions snort
snort 2.9.9.0

我正在运行snort并使用 user 配置文件，-s syslog开关和tcpdump文件

I am running snort and with a user config file, -s syslog switch, and a tcpdump-file

$ sudo snort -c /etc/snort/snort.conf -s -r tcpdump.pcap

我的/etc/snort/snort.conf文件具有以下 output 设置:

my /etc/snort/snort.conf file has the following output settings:

output alert_syslog: LOG_AUTH LOG_ALERT

执行时，在/var/log/snort/snort.log.1489953549

我知道自己的规则有效，因为如果我以 fast

I know that my rules are working, because if I execute snort with an alert-mode of fast

$ sudo snort -c /etc/snort/snort.conf -A fast -r tcpdump.pcap

将创建一个新的空白 /var/log/snort/snort.log.1489954258，但还会创建一个/var/log/snort/alert日志文件，其中包含正确的警报输出.

a new blank /var/log/snort/snort.log.1489954258 is created, but a /var/log/snort/alert log file is also created, which contains the correct alert outputs.

由于权限问题，我已经看到其他遇到了此问题，但我不知道考虑到我正在以sudo的身份运行snort并能够很好地写入alert日志，因此我不认为这是我的问题.

I have seen others run into this issue because of permissions, but I don't believe that is my problem given that I am running snort as sudo and it is able to write to the alert log just fine.

据我所知，我也没有. 参考

好像brew在/usr/local/etc/snort下安装了一些默认的snort配置文件，但我认为这些并不会影响我，因为我正在使用-c开关来提供 user 配置文件.

It looks like brew installed some default snort config files under /usr/local/etc/snort, but I don't think that these are affecting me because I am using the -c switch to supply a user config file.

免责声明::这是我第一次使用snort，所以很可能我很想念它.任何帮助都将不胜感激.

DISCLAIMER: This is my first time using snort, so it could be something very obvious that I am missing. Any and all help is much appreciated.

推荐答案

TL; DR
使用tcpdump，snort，tshark或 Wireshark 读取snort日志文件(如何查看snort日志文件)

TL;DR
Use tcpdump, snort, tshark, or Wireshark to read snort log files (how to view snort log files)

$ sudo tcpdump -r snort.log.1489953549

我的空日志文件从未真正为空(请注意ls中的文件大小)

My empty log file was never actually empty (note file sizes from ls)

$ ls -ltr /var/log/snort/
-rw-------  1 root  admin   56018718 Mar 19 15:03 snort.log.1489954258
-rw-------  1 root  admin   56018718 Mar 19 15:11 snort.log.1489953549
-rw-r--r--  1 root  admin   70202224 Mar 19 15:11 alert

必须使用正确的应用程序读取呼吸日志文件

Snort log files must be read using the correct application

文件类型是什么?

$ sudo file snort.log.1489953549
snort.log.1489953549: tcpdump capture file (little-endian) - version 2.4 (Ethernet, capture length 1514)

使用tcpdump

$ sudo tcpdump -r snort.log.1489954258
06:54:16.654692 IP 192.168.5.81.amt-blc-port > 100.100.100.212.6667: Flags [P.], seq 1304973037:1304973067, ack 1425084530, win 8011, options [nop,nop,TS val 14215752 ecr 2196036272], length 30
...

这篇关于为什么我的Snort日志为空?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持！