Snort logs

Forums

Offline

Snort logs

Resolved

0 votes

What does it mean?
Snortsam logs
2018/12/30, 03:16:22, -, 1, snortsam, Starting to listen for Snort alerts.
2019/01/01, 22:14:06, 127.0.0.1, 1, snortsam, Snort station 127.0.0.1 using wrong password, trying to re-sync.
2019/01/01, 22:14:56, -, 1, snortsam, Starting to listen for Snort alerts.
2019/01/01, 22:15:00, -, 1, snortsam, Starting to listen for Snort alerts.
2019/01/01, 22:20:37, -, 1, snortsam, Starting to listen for Snort alerts.
2019/01/04, 12:44:52, -, 1, snortsam, Starting to listen for Snort alerts.

In Log Viewer

Monday, January 07 2019, 08:54 AM

Share this post:

Responses (7)

Accepted Answer
Nick Howitt

Offline
Monday, January 07 2019, 10:24 AM - #Permalink
Resolved

0 votes

The "wrong password" has been going on for years. I don't believe it is an issue.
The reply is currently minimized Show
Accepted Answer

Edgars Volkovs

Offline
Monday, January 07 2019, 10:45 AM - #Permalink
Resolved

0 votes

Then I will ask another question, watching Messages logs show all the time:
This message always appears repeatedly, maybe the system works wrong?

Jan 7 12:27:51 gateway systemd: netifyd.service holdoff time over, scheduling restart.
Jan 7 12:27:51 gateway systemd: Starting Netify Agent...
Jan 7 12:27:51 gateway systemd: getty@tty1.service has no holdoff time, scheduling restart.
Jan 7 12:27:51 gateway systemd: Started Getty on tty1.
Jan 7 12:27:51 gateway systemd: Starting Getty on tty1...
Jan 7 12:27:51 gateway systemd-logind: Removed session 943.
Jan 7 12:27:51 gateway systemd: Removed slice User Slice of clearconsole.
Jan 7 12:27:51 gateway systemd: Stopping User Slice of clearconsole.
Jan 7 12:27:51 gateway systemd: PID file /var/run/netifyd/netifyd.pid not readable (yet?) after start.
Jan 7 12:27:51 gateway netifyd[10960]: Netify Agent/2.82 (x86_64; conntrack; netlink; dns-cache; plugins; tcmalloc) nDPI/2.5.0 JSON/1.60
The reply is currently minimized Show
Accepted Answer
Nick Howitt

Offline
Monday, January 07 2019, 11:10 AM - #Permalink
Resolved

0 votes

I cut down on a lot of the logging by setting "LogLevel=notice" in /etc/systemd/system.conf. You can also temporarily issue the command "systemd-analyze set-log-level notice"

I am more concerned about the netifyd stuff - the application and protocol filters. Can you try restarting them and checking for messages?
The reply is currently minimized Show
Accepted Answer

Edgars Volkovs

Offline
Thursday, January 10 2019, 02:32 PM - #Permalink
Resolved

0 votes

I have a question about snort, i'm not sure it protects. I installed snort from Marketplace and I didn't make any changes.
Is it necessary to need to manually configure from ssh ?
Where to whatch snort alert, blocked logs?
The reply is currently minimized Show
Accepted Answer
Nick Howitt

Offline
Thursday, January 10 2019, 03:17 PM - #Permalink
Resolved

0 votes

If you have the free rule set, it is very old and contains no blocking rules. Do you have the free rules or do you get the IDS updates?
The reply is currently minimized Show
Accepted Answer

Edgars Volkovs

Offline
Thursday, January 10 2019, 03:54 PM - #Permalink
Resolved

0 votes

Nick Howitt wrote:

If you have the free rule set, it is very old and contains no blocking rules. Do you have the free rules or do you get the IDS updates?

I install free IDS, https://www.clearos.com/clearfoundation/software/clearos-7-community/marketplace/gateway/Intrusion_Detection_System
The reply is currently minimized Show
Accepted Answer
Nick Howitt

Offline
Thursday, January 10 2019, 04:10 PM - #Permalink
Resolved

0 votes

If you want blocking, you have to do something like build in the Emerging Threats rules. There is a forum thread for it. Otherwise you'll need to subscribe to the updates.
The reply is currently minimized Show