tag:blogger.com,1999:blog-7303400454979750101.post7413881444451518698..comments2024-03-28T06:49:56.390-07:00Comments on Learning by practicing: Snort3 on Ubuntu 20 - Housekeeping - AppID, RNA, Performance Monitoring, Profiling, JSON Logging, Other config, etc.Nik Alleyne, MSc | CISSP | GC|IA|IH|REM|PENhttp://www.blogger.com/profile/10282323977269843041noreply@blogger.comBlogger2125tag:blogger.com,1999:blog-7303400454979750101.post-40493524762558837612022-03-17T11:13:25.823-07:002022-03-17T11:13:25.823-07:00:-; Thanks Rob!
- "But... so now what??&quo...:-; Thanks Rob! <br /><br />- "But... so now what??" By default these should be in your /var/log/snort<br />- "Or does it email me" You will have to set that up separately. Maybe forward to your SIEM?<br />- "or do i need to sit in front of the screen all day?" I hope not! :-D<br />- "An insight into reading/parsing/ figuring out Snort logs would be cool." - I can do this, just not now. However, look at these to see if they help:<br />https://www.securitynik.com/2022/02/powershell-empire-detection-with-snort3.html<br />https://www.securitynik.com/2021/12/continuing-log4shell-snort3-rule.html<br /><br />In the interim, you should write a simple rule such as "alert tcp any any -> any any (msg:"This is a test rule")". Use this either while snort3 is running live or feed it to a PCAP file with something such as "snort -A cmg -r your-pcap_file.pcap -v". If anything shows up on the screen, then check your /var/log/snort to see what is written there. If nothing is written, play around on the command line with other logging options. Page 89 here should be helpful: https://usermanual.wiki/Document/snortmanual.760997111 <br /><br />Let me know if there is anything else I can help with.<br />Good luck!<br />Nik Alleyne, MSc | CISSP | GC|IA|IH|REM|PENhttps://www.blogger.com/profile/10282323977269843041noreply@blogger.comtag:blogger.com,1999:blog-7303400454979750101.post-6146791029941308242022-03-17T09:51:16.744-07:002022-03-17T09:51:16.744-07:00Great article! The most concise anywhere on Snort3...Great article! The most concise anywhere on Snort3.<br /><br />I am a newbie to Snort, well I used it maybe 20 years ago, and nothing till today. So I followed all your lesson and everything seems to be running fine. <br /><br />But... so now what?? Where are the logs going so i can see them? Or does it email me, or do i need to sit in front of the screen all day? :)<br /><br />I have no new logs of any type in /var/log/snort other than the rna ones, and nothing in the syslog other than when it starts and stops.<br />An insight into reading/parsing/ figuring out Snort logs would be cool.<br />Thanks!Robhttps://www.blogger.com/profile/12307672398463795313noreply@blogger.com