问题描述
我正在运行macOS Sierra 10.12.3
I am running macOS Sierra 10.12.3
$ sw_vers
ProductName: Mac OS X
ProductVersion: 10.12.3
BuildVersion: 16D32
我已使用自制软件
$ brew install snort
$ brew ls --versions snort
snort 2.9.9.0
我正在运行snort并使用 user 配置文件,-s
syslog开关和tcpdump文件
I am running snort and with a user config file, -s
syslog switch, and a tcpdump-file
$ sudo snort -c /etc/snort/snort.conf -s -r tcpdump.pcap
我的/etc/snort/snort.conf
文件具有以下 output 设置:
my /etc/snort/snort.conf
file has the following output settings:
output alert_syslog: LOG_AUTH LOG_ALERT
执行时,在/var/log/snort/snort.log.1489953549
我知道自己的规则有效,因为如果我以 fast
I know that my rules are working, because if I execute snort with an alert-mode of fast
$ sudo snort -c /etc/snort/snort.conf -A fast -r tcpdump.pcap
将创建一个新的空白 /var/log/snort/snort.log.1489954258
,但还会创建一个/var/log/snort/alert
日志文件,其中包含正确的警报输出.
a new blank /var/log/snort/snort.log.1489954258
is created, but a /var/log/snort/alert
log file is also created, which contains the correct alert outputs.
由于权限问题,我已经看到其他遇到了此问题,但我不知道考虑到我正在以sudo
的身份运行snort并能够很好地写入alert
日志,因此我不认为这是我的问题.
I have seen others run into this issue because of permissions, but I don't believe that is my problem given that I am running snort as sudo
and it is able to write to the alert
log just fine.
据我所知,我也没有. 参考
好像brew在/usr/local/etc/snort
下安装了一些默认的snort配置文件,但我认为这些并不会影响我,因为我正在使用-c
开关来提供 user 配置文件.
It looks like brew installed some default snort config files under /usr/local/etc/snort
, but I don't think that these are affecting me because I am using the -c
switch to supply a user config file.
免责声明::这是我第一次使用snort,所以很可能我很想念它.任何帮助都将不胜感激.
DISCLAIMER: This is my first time using snort, so it could be something very obvious that I am missing. Any and all help is much appreciated.
推荐答案
TL; DR
使用tcpdump
,snort
,tshark
或 Wireshark 读取snort日志文件(如何查看snort日志文件)
TL;DR
Use tcpdump
, snort
, tshark
, or Wireshark to read snort log files (how to view snort log files)
$ sudo tcpdump -r snort.log.1489953549
我的空日志文件从未真正为空(请注意ls
中的文件大小)
My empty log file was never actually empty (note file sizes from ls
)
$ ls -ltr /var/log/snort/
-rw------- 1 root admin 56018718 Mar 19 15:03 snort.log.1489954258
-rw------- 1 root admin 56018718 Mar 19 15:11 snort.log.1489953549
-rw-r--r-- 1 root admin 70202224 Mar 19 15:11 alert
必须使用正确的应用程序读取呼吸日志文件
Snort log files must be read using the correct application
文件类型是什么?
$ sudo file snort.log.1489953549
snort.log.1489953549: tcpdump capture file (little-endian) - version 2.4 (Ethernet, capture length 1514)
使用tcpdump
$ sudo tcpdump -r snort.log.1489954258
06:54:16.654692 IP 192.168.5.81.amt-blc-port > 100.100.100.212.6667: Flags [P.], seq 1304973037:1304973067, ack 1425084530, win 8011, options [nop,nop,TS val 14215752 ecr 2196036272], length 30
...
这篇关于为什么我的Snort日志为空?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!