Snort
Snort is an open-source network intrusion detection and prevention system (IDS/IPS). It can be used as a packet logger to log network packets to disk or to analyze network traffic against a defined set of rules to detect malicious activity.
NXLog Agent can capture and process Snort logs and output events in various formats, such as syslog, JSON, or CSV.
Configuring Snort logging
Snort provides multiple output plugins that support writing logs in different formats, including JSON, CSV, unified2, and the typical one-line (fast) and five-line (full) formats.
By default, all file-based logs are saved in the /var/log/snort
folder.
Without any configuration done by the user, Snort will create three log files upon its first run:
Filename | Description |
---|---|
file.log |
Empty file. |
log.pcap.<EPOCH_TIMESTAMP> |
A log file containing intercepted live network packet data. |
perf_monitor_base.csv |
A CSV file containing various resource and application-level information. |
The easiest way NXLog Agent can collect and parse Snort logs is to configure the alert_json
plugin to write events to file in JSON format.
To do this, open Snort’s configuration file located at /usr/local/etc/snort/snort.lua
with a text editor and add the following configuration:
alert_json =
{
file = true, (1)
limit = 100, (2)
fields = 'timestamp class msg priority src_addr src_port dst_addr dst_port', (3)
}
1 | Enables output to file in JSON format. |
2 | Maximum file size in MB before rollover; When the output file reaches the said value, a new file will be created, using the present unixtime in the filename. 0 is unlimited. |
3 | List of fields separated by a space to include in the output. |
Available list of fields |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Snort rules and log samples
The following three examples depict different Snort rules and their respective events in JSON format.
ICMP packet rule
alert icmp any any -> any any (msg:"ICMP Packet"; classtype:icmp-event; sid:477; rev:1;)
$ ping 192.168.1.6
{
"timestamp": "06/18-14:02:05.954858",
"class": "Generic ICMP event",
"msg": "ICMP Packet",
"priority": 3,
"src_addr": "192.168.1.6",
"dst_addr": "192.168.1.2"
}
ICMP flood rule
alert icmp any any -> any any (msg:"ICMP flood"; sid:1000001; rev:1; classtype:icmp-event; detection_filter:track by_dst, count 500, seconds 3;)
$ hping3 -c 15000 --icmp -d 120 -w 64 -p 80 --flood --rand-source 192.168.1.6
{
"timestamp": "06/17-22:28:49.269236",
"class": "Generic ICMP event",
"msg": "ICMP flood",
"priority": 3,
"src_addr": "143.181.31.216",
"dst_addr": "192.168.1.6"
}
Denial of Service rule
alert tcp any any -> any any (flags: S; msg:"Possible DoS Attack Type : SYN flood"; classtype:attempted-dos; flow:stateless; sid:3; detection_filter:track by_dst, count 20, seconds 10;)
$ hping3 -c 15000 -d 120 -S -w 64 -p 25 --flood --rand-source 192.168.1.6
{
"timestamp": "06/17-21:53:38.555249",
"class": "Attempted Denial of Service",
"msg": "Possible DoS Attack Type : SYN flood",
"priority": 2,
"src_addr": "98.137.240.250",
"src_port": 37396,
"dst_addr": "192.168.1.6",
"dst_port": 80
}
hping3 is a tool that can send custom ICMP/UDP/TCP packets.
It can be installed by executing sudo apt install hping3 on Debian systems or sudo yum install hping3 on RHEL.
|
Collecting Snort logs
This configuration uses the im_file input module to collect Snort logs from /var/log/snort/alert_json.txt
.
It utilizes a regular expression to parse event records and the parse_json() procedure of the xm_json module to convert the record into structured data.
The parsedate() function is used to output the $EventTime
in ISO format.
The record is then processed with the xm_rewrite module to use more user-friendly field names before formatting it to JSON with the to_json() procedure.
<Extension json>
Module xm_json
</Extension>
<Extension rewrite>
Module xm_rewrite
Rename msg, EventName
Rename class, Classification
Rename priority, Priority
Rename src_addr, SourceIPAddress
Rename src_port, SourcePort
Rename dst_addr, DestinationIPAddress
Rename dst_port, DestinationPort
Delete timestamp
</Extension>
<Input snort_logs>
Module im_file
File '/var/log/snort/alert_json*.txt'
<Exec>
parse_json();
if $raw_event =~ /(\d{2})\/(\d{2})-(\d{2}:\d{2}:\d{2}\.\d{1,6})/
{
$EventTime = parsedate(year(now()) + "-" + $1 + "-" + $2 + "T" + $3);
}
else
{
$EventTime = $timestamp
}
rewrite->process();
to_json();
</Exec>
</Input>
{
"EventReceivedTime": "2022-06-18T14:02:06.385133+03:00",
"SourceModuleName": "snort_logs",
"SourceModuleType": "im_file",
"EventName": "ICMP Packet",
"Classification": "Generic ICMP event",
"EventTime": "2022-06-18T14:02:05.954858+03:00",
"SourceIPAddress": "192.168.1.6",
"DestinationIPAddress": "192.168.1.2"
}
{
"EventReceivedTime": "2022-06-17T22:28:49.917456+03:00",
"SourceModuleName": "snort_logs",
"SourceModuleType": "im_file",
"EventName": "ICMP flood",
"Classification": "Generic ICMP event",
"EventTime": "2022-06-17T22:28:49.269236+03:00",
"SourceIPAddress": "143.181.31.216",
"DestinationIPAddress": "192.168.1.6"
}
{
"EventReceivedTime": "2022-06-17T21:53:38.799434+03:00",
"SourceModuleName": "snort_logs",
"SourceModuleType": "im_file",
"EventName": "Possible DoS Attack Type : SYN flood",
"Classification": "Attempted Denial of Service",
"EventTime": "2022-06-17T21:53:38.555249+03:00",
"SourceIPAddress": "98.137.240.250",
"SourcePort": 37396,
"DestinationIPAddress": "192.168.1.6",
"DestinationPort": 80
}