Netgate SG-1000 microFirewall

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Topics - dc401

Pages: [1]
Will pay $100 for a feature to allow the snort and suricata package to update signatures either by directory or tar ball format from a local repo such as http/s server or file share (such as smb or sshv2) from a local network resource. Would prefer it to be part of the snort/suricata package or could be an separate package.

IDS/IPS / Barnyard2 and Remote Syslog Problems
« on: February 15, 2018, 08:31:02 am »
Hello everyone, I'm running a fresh install of 2.4.2_1  with snort package I can always get snort alerts to local log correctly and then I can have the firewall logs remotely hit the remote (same subnet) syslog server perfectly fine. Howeever, using the WebUI to send to the remote syslog server; I see nothing in my pcaps that show any UDP traffic attempts. During my troubleshooting when I switched tcp (same port). I see barnyard2 establishing a tcp connection successfully; however no alerts or data payload is sent. Doing a U2spewfoo on the waldo file on the interface shows data with packet payload along with the standard fast alert file at /var/log/snort/snort_interface spool file and waldo. I've also tried playing with the log facility to ensure I'm not suing something possibly conflicting but it just doesn't work for me.

I am using ET open and Snort VRT rules with policy enabled. There's plenty of alerting however trying to get Barnyard2 to even properly send to the remote syslog server is just not working for me at all. The only way I can even get remote syslog feature working is to save alerts to the firewall logs and then forward the logs to my syslog server from the firewall side. Which I don't want to do; and based on the topic at: I definitely want to see full payload sent to the syslog server.

Can someone please advise on what they have on their setup either in WebUI or if you manually added/revised config files on the file system?

Barnyard2.conf on the interface:
Code: [Select]
[2.4.2-RELEASE][admin@pfsense.local]/root: less /usr/local/etc/snort/snort_64371_bge1/barnyard2.conf

#   barnyard2.conf
#   barnyard2 can be found at

## General Barnyard2 settings ##
config quiet
config daemon
config decode_data_link
config alert_with_interface_name
config event_cache_size:    8192
config show_year
config dump_payload
config archivedir:          /var/log/snort/snort_bge164371/barnyard2/archive
config reference_file:      /usr/local/etc/snort/snort_64371_bge1/reference.config
config classification_file: /usr/local/etc/snort/snort_64371_bge1/classification.config
config sid_file:            /usr/local/etc/snort/snort_64371_bge1/
config gen_file:            /usr/local/etc/snort/snort_64371_bge1/
config hostname:            pfsense.local
config interface:           bge1
config waldo_file:          /var/log/snort/snort_bge164371/barnyard2/64371_bge1.waldo
config logdir:              /var/log/snort/snort_bge164371

## START user pass through ##

## END user pass through ##

## Setup input plugins ##
input unified2

## Setup output plugins ##
# syslog_full: log to a remote syslog receiver
output log_syslog_full: sensor_name pfsense.local, server <MY IP REDACTED>, protocol udp, port 514, operation_mode complete, payload_encoding ascii, log_facility LOG_SYSLOG, log_priority LOG_INFO

Also looking at this thread; it appears others may have my same issue:

Has anyone been able to get utilize Barnayrd2 only for remote syslog alert + full payload? I can't even get alerts to kick out without payload to

Hi guys,

Running 2.1 x64 -- barnyard2 configuration works fine when alerts in default and complete settings.

Tried to add the following barnyard2.conf to be inserted from the WebUI"
Code: [Select]
output log_syslog_full: sensor_name snort-sensor, local, operation_mode complete
However when I funnel traffic to the interface that Snort is running on; I see only the alerts still and none of the payload. Has anyone been able to successfully get this to work? We want to be able to get the alert + payload sent to a remote syslog server.

Pages: [1]