NXLog Docs

Snort

Snort is an open-source network intrusion detection and prevention system (IDS/IPS). It can be used as a packet logger to log network packets to disk or to analyze network traffic against a defined set of rules to detect malicious activity.

NXLog can capture and process Snort logs and output events in various formats, such as syslog, JSON, or CSV.

Configuring Snort logging

Snort provides multiple output plugins that support writing logs in different formats, including JSON, CSV, unified2, and the typical one-line (fast) and five-line (full) format. By default, all file-based logs are saved in the /var/log/snort folder.

Without any configuration done by the user, Snort will create three log files upon its first run:

Filename Description

file.log

Empty file.

log.pcap.<EPOCH_TIMESTAMP>

A log file containing intercepted live network packet data.

perf_monitor_base.csv

A CSV file containing various resource and application-level information.

The easiest way NXLog can collect and parse Snort logs is to configure the alert_json plugin to write events to file in JSON format. To do this, open Snort’s configuration file located at /usr/local/etc/snort/snort.lua with a text editor and add the following configuration:

snort.lua
alert_json =
{
   file = true, (1)
   limit = 100, (2)
   fields = 'timestamp class msg priority src_addr src_port dst_addr dst_port', (3)
}
1 Enables output to file in JSON format.
2 Maximum file size in MB before rollover; When the output file reaches the said value, a new file will be created, using the present unixtime in the filename. 0 is unlimited.
3 List of fields separated by a space to include in the output.
Available list of fields

action

class

b64_data

dir

dst_addr

dst_ap

dst_port

eth_dst

eth_len

eth_src

eth_type

gid

icmp_code

icmp_id

icmp_seq

icmp_type

iface

ip_id

ip_len

msg

mpls

pkt_gen

pkt_len

pkt_num

priority

proto

rev

rule

seconds

service

sid

src_addr

src_ap

src_port

target

tcp_ack

tcp_flags

tcp_len

tcp_seq

tcp_win

timestamp

tos

ttl

udp_len

vlan

Snort rules and log samples

The following three examples depict different Snort rules and their respective events in JSON format.

ICMP packet rule

alert icmp any any -> any any (msg:"ICMP Packet"; classtype:icmp-event; sid:477; rev:1;)
Triggered by command
$ ping 192.168.1.6
Snort ICMP packet log sample
{
  "timestamp": "06/18-14:02:05.954858",
  "class": "Generic ICMP event",
  "msg": "ICMP Packet",
  "priority": 3,
  "src_addr": "192.168.1.6",
  "dst_addr": "192.168.1.2"
}

ICMP flood rule

alert icmp any any -> any any (msg:"ICMP flood"; sid:1000001; rev:1; classtype:icmp-event; detection_filter:track by_dst, count 500, seconds 3;)
Triggered by command
$ hping3 -c 15000 --icmp -d 120 -w 64 -p 80 --flood --rand-source 192.168.1.6
Snort ICMP flood log sample
{
  "timestamp": "06/17-22:28:49.269236",
  "class": "Generic ICMP event",
  "msg": "ICMP flood",
  "priority": 3,
  "src_addr": "143.181.31.216",
  "dst_addr": "192.168.1.6"
}

Denial of Service rule

alert tcp any any -> any any (flags: S; msg:"Possible DoS Attack Type : SYN flood"; classtype:attempted-dos; flow:stateless; sid:3; detection_filter:track by_dst, count 20, seconds 10;)
Triggered by command
$ hping3 -c 15000 -d 120 -S -w 64 -p 25 --flood --rand-source 192.168.1.6
Snort DDoS log sample
{
  "timestamp": "06/17-21:53:38.555249",
  "class": "Attempted Denial of Service",
  "msg": "Possible DoS Attack Type : SYN flood",
  "priority": 2,
  "src_addr": "98.137.240.250",
  "src_port": 37396,
  "dst_addr": "192.168.1.6",
  "dst_port": 80
}
hping3 is a tool that can send custom ICMP/UDP/TCP packets. It can be installed by executing sudo apt install hping3 on Debian systems or sudo yum install hping3 on RHEL.

Collecting Snort logs

Example 1. Parsing Snort logs

This configuration uses the im_file input module to collect Snort logs from /var/log/snort/alert_json.txt. It utilizes a regular expression to parse event records and the parse_json() procedure of the xm_json module to convert the record into structured data. The parsedate() function is used to output the $EventTime in ISO format.

The record is then processed with the xm_rewrite module to use more user-friendly field names before formatting it to JSON with the to_json() procedure.

nxlog.conf
<Extension json>
    Module    xm_json
</Extension>

<Extension rewrite>
    Module    xm_rewrite
    Rename    msg, EventName
    Rename    class, Classification
    Rename    priority, Priority
    Rename    src_addr, SourceIPAddress
    Rename    src_port, SourcePort
    Rename    dst_addr, DestinationIPAddress
    Rename    dst_port, DestinationPort
    Delete    timestamp
</Extension>

<Input snort_logs>
    Module    im_file
    File      '/var/log/snort/alert_json*.txt'
    <Exec>
        parse_json();
        if $raw_event =~ /(\d{2})\/(\d{2})-(\d{2}:\d{2}:\d{2}\.\d{1,6})/
        {
            $EventTime = parsedate(year(now()) + "-" + $1 + "-" + $2 + "T" + $3);
        }
        else
        {
            $EventTime = $timestamp
        }
        rewrite->process();
        to_json();
    </Exec>
</Input>
Ping output sample
{
  "EventReceivedTime": "2022-06-18T14:02:06.385133+03:00",
  "SourceModuleName": "snort_logs",
  "SourceModuleType": "im_file",
  "EventName": "ICMP Packet",
  "Classification": "Generic ICMP event",
  "EventTime": "2022-06-18T14:02:05.954858+03:00",
  "SourceIPAddress": "192.168.1.6",
  "DestinationIPAddress": "192.168.1.2"
}
Ping flood output sample
{
  "EventReceivedTime": "2022-06-17T22:28:49.917456+03:00",
  "SourceModuleName": "snort_logs",
  "SourceModuleType": "im_file",
  "EventName": "ICMP flood",
  "Classification": "Generic ICMP event",
  "EventTime": "2022-06-17T22:28:49.269236+03:00",
  "SourceIPAddress": "143.181.31.216",
  "DestinationIPAddress": "192.168.1.6"
}
DDoS attack output sample
{
  "EventReceivedTime": "2022-06-17T21:53:38.799434+03:00",
  "SourceModuleName": "snort_logs",
  "SourceModuleType": "im_file",
  "EventName": "Possible DoS Attack Type : SYN flood",
  "Classification": "Attempted Denial of Service",
  "EventTime": "2022-06-17T21:53:38.555249+03:00",
  "SourceIPAddress": "98.137.240.250",
  "SourcePort": 37396,
  "DestinationIPAddress": "192.168.1.6",
  "DestinationPort": 80
}
Disclaimer

While we endeavor to keep the information in this topic up to date and correct, NXLog makes no representations or warranties of any kind, express or implied about the completeness, accuracy, reliability, suitability, or availability of the content represented here. We update our screenshots and instructions on a best-effort basis.

The accurateness of the content was tested and proved to be working in our lab environment at the time of the last revision with the following software versions:

Snort 3.1.31.0
NXLog EE 5.5.7535
Ubuntu 20.04.4 LTS
CentOS 7

Last revision: 17 June 2022