pfSense Support Subscription

Author Topic: Are Snort Intrusion Alerts Automatically Saved on the Harddisk by Default?  (Read 72 times)

0 Members and 1 Guest are viewing this topic.

Offline Teo En Ming

  • Newbie
  • *
  • Posts: 6
  • Karma: +0/-0
    • View Profile
Hi,

I came across some Snort IDS settings.

The first setting is:

Services / Snort / Edit Interface / WAN

Code: [Select]
Snort will send Alerts to the firewall's system logs
The 2nd setting is:

Services / Snort / Alerts

Code: [Select]
Download Alert Log Actions
Does these mean that Snort IDS will not save intrusion alerts automatically to the filesystem by default?

If Snort IDS does save intrusion alerts automatically on the harddisk by default, where are they saved, ie. full path?

Offline NogBadTheBad

  • Sr. Member
  • ****
  • Posts: 410
  • Karma: +34/-0
    • View Profile
They'll be under /var/log/snort :-

[2.4.2-RELEASE][admin@pfsense]/var/log/snort: ls -alg
total 100
drwxr-xr-x  9 root  wheel    512 Jan  5 20:52 .
drwxr-xr-x  7 root  wheel   1024 Dec 19 20:59 ..
-rw-rw----  1 root  wheel      0 Dec 22 12:17 alert
drw-rw----  3 root  wheel   4096 Jan 15 11:15 snort_igb0.256577
drw-rw----  3 root  wheel    512 Jan 13 00:08 snort_igb0.343654
drw-rw----  3 root  wheel   2048 Jan 15 00:20 snort_igb0.427080
drw-rw----  3 root  wheel   3072 Jan 15 00:20 snort_igb0.516395
drw-rw----  3 root  wheel   2048 Jan 15 00:20 snort_igb0.658303
drw-rw----  3 root  wheel    512 Dec 19 21:10 snort_igb035478
drw-rw----  3 root  wheel  12288 Jan 15 09:05 snort_pppoe054518

-rw-rw----  1 root  wheel  56255 Jan 15 18:05 snort_rules_update.log
[2.4.2-RELEASE][admin@pfsense]/var/log/snort:

The entries in red are directories, the info is stored under here.
« Last Edit: January 15, 2018, 01:36:03 pm by NogBadTheBad »