Snort finding the alert file DATA with snort.logs.xxxxxxx

bash logging tcpdump snort pcap
6,647

Like you said, by default, Snort will log two ways:

  1. alert file - Contains alert metadata in text format
  2. snort.log.########## - PCAP of the packet(s) that triggered the alert

The way I would go about doing this (with only basic linux bash commands) would be:

The single alert approach

To find alert entries:

Search the alert file. You can search by IP address or by alert name using grep.

grep "PATTERN" /var/log/snort/alert

A typical log entry line would look like:

01/04-03:28:11.959559  [**] [1:1000001:1] Signature_Name [**] [Classification: Attempted User Privilege Gain] [Priority: 1] {TCP} 192.168.1.1:80 -> 192.168.1.128:39590

To find the corresponding PCAP file:

Then, to figure out which file was written, you can either look at the modified times in a long directory listing (ls -l), or you can convert the timestamp (don't forget to add the year and put a space between the date and time) to epoch time using the following command:

date "+%s" -d "01/04/2018 03:28:11.959559"

Output:

1515054491

Then look for a file called snort.log.1515054491. That should contain the PCAP data.

If you need multiple logs for one IP address

This is the sledgehammer approach. If they want entries from both files only pertaining to a single IP address, this is what I would do:

Alert file entries

Grep for the IP address and then write output to a separate file.

grep "192.168.1.1" /var/log/snort > /tmp/alerts_192.168.1.1.txt

That should just filter on only lines where the IP address appears and redirect it to a new file that you can provide the security team.

PCAP files

I would exercise caution in doing this since the snort log directory may be very large and iterating over a large group of files could put strain on a system (especially if it's a sensor with a very high traffic volume). I would recommend using a file mask for an approximate time frame for the data you are looking for. Keep in mind, this time frame needs to be in epoch format.

Say the team wants everything from now going back an hour ago (3600 seconds). Epoch timestamp is 1515054491. Subtract 3600 from that and you get 1515050891.

1515050891 - Start
1515054491 - End
151505???? - File mask (close enough)

I would then create a for loop to iterate through all of those files and perform a tcpdump command to filter only on the IP address in question.

tcpdump -r infile -w outfile "BPF"

The options:

  • -r is for read from a file (as opposed to starting a live capture from an interface)
  • -w is for write output to a file
  • "BPF" - Berkley packet filter (In this case, it would be "host 192.168.1.1" to specify any packets with that IP.)

And now, the for loop:

cd /var/log/snort
for file in snort.log.151505????
do
    tcpdump -r $file -w /tmp/$file "host 192.168.1.1"
done

And now, you should have a copy of all of your alert files in the /tmp folder, but only with data pertaining to that specific IP address. If you have mergecap installed, I would recommend combining all of these into a single PCAP file using the following:

mergecap -w /tmp/snort_log_192.168.1.1.pcap /tmp/snort.log.*

You should know have two files in /tmp:

  • /tmp/alerts_192.168.1.1.txt
  • /tmp/snort_log_192.168.1.1.pcap

Then, provide those files to your security team.

Share:
6,647
chandu
Author by

chandu

Updated on September 18, 2022

Comments

  • chandu
    chandu over 1 year

    I'am working on task where my security team is asking me to provide a pcap file under the folder /var/log/snort. They have picked up a source IPADDRESS from an alert file and they need to do more analysis on pcap files (i.e. snort.log.xxxxxxx) for that source IP address.

    The alert file and snort.log.xxxxx files are in the same folder. How to give them exact snort.log.xxxxx file for the analysis? Please give some commands or any technique to do this. I am very new to this field I am handling the Linux machine (Centos 7) where snort is dumping the logs.

    • schroeder
      schroeder over 6 years
      This is not a security question. You are asking how to grep files.
  • chandu
    chandu over 6 years
    Thanks Damian I am using your solution with my tweaks ..this helped me lot...You are awesome...
  • Damian T.
    Damian T. over 6 years
    You are quite welcome. Glad I could help! :)

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

How to log echo statement with timestamp in shell script
Logging location of lftp
How can I log "show processlist" when there are more than n queries?
TCP Server sends [ACK] followed by [PSH,ACK]
how to read pcap file, filter by ip address and port then write data to another file
How to see all Request URLs the server is doing (final URLs)
bash tail on a live log file, counting uniq lines with same date/time
Parsing pcap taken from wireshark file using - Java
How to save terminal history to a file from a bash file?
How to log all Bash commands by all users on a server?