如何查看snort日志文件
我一直在使用 snort-IDS。我在 /var/log/snort 中有一些日志文件。 这些文件的类型为 snort.log.xxxx。怎么查看这个文件???
I have been working with snort-IDS. I have got some log files at /var/log/snort.
The files are of type snort.log.xxxx. How do i view this file???
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(6)
我将重新打开这个问题,尝试合并其他答案,因为我认为它们没有得到正确解释。
snort.log.xxx文件类型Snort 可能会输出两种输出文件格式,具体取决于该文件的 snort 输出插件选项:tcpdump pcap 和 snort 的 Unified2。要了解您的文件是什么类型,请使用 unix
file命令。它会告诉您
tcpdump捕获文件(转到2)或数据(转到3)。您可以将其作为普通捕获文件进行读取:您可以使用
wireshark、tshark -r、tcpdump -r,甚至重新注入它们在 snort 中使用snort -r。“本机”snort 格式。您可以使用
u2spewfoo(包含在 snort 中)读取它,或者使用u2boat将其转换为 pcap。如果您想将其转换为另一个警报系统(例如syslog),您可以使用barnyard2。 Barnyard2 是一个简单的工具,但配置有点复杂,所以如果您需要更多信息,请告诉我!
Barnyard2 还能够“连续”地对其进行转换,即以前的工具是一次性的:它们一次打印/转换一个文件,然后退出。 Barnyard2 能够监视 Snort 日志目录并在 Snort 生成事件时对其进行处理。
使用 Unified2 格式是因为 snort 旧的独特线程设计。 Snort 等待系统日志、屏幕等确认警报所花费的时间是 Snort 不用于分析数据包的时间。因此,方法是以高效的二进制格式转储然后让另一个程序(可能具有低 CPU 优先级)来处理它们。
I will reopen this question trying to merge the others answers, since I think that they are not properly explained.
snort.log.xxxfile typeSnort could have output you two kind of output file format depending on snort output plugin option for that files: tcpdump pcap and snort's unified2. In order to know what kind are your files, use the unix
filecommand.It will tell you
tcpdump capture file(goto 2) ordata(goto 3).You can read as a normal capture file: You can use
wireshark,tshark -r,tcpdump -r, or even re-inject them in snort withsnort -r."Native" snort format. You can read it with
u2spewfoo <file>(included in snort), or convert it to a pcap withu2boat.If you want to transform it to another alert system (syslog, for example), you can use barnyard2. Barnyard2 is a simple tool, but configuration is a little bit complex, so tell me if you need more information!
Barnyard2 is also capable to transform it "continuously", i.e., the previous tools are one shot: they print/convert one file one time, and the exit. Barnyard2 is able to monitor snort log directory and process events at the time they are produced by snort.
The unified2 format is used because snort old unique thread design. The time snort spend waiting syslog, screen, etc. to ACK alert is time that snort is not using to analyze packets. So, the way was to dump then in a efficient binary format, and let another program (maybe with low CPU priority) to process them.
其实,你可以在命令行或者终端中读取它们,如
snort -r xx.log.xxx$。具体可以参考snort的手册。Actually, you can read them in the commandline or terminal like
snort -r xx.log.xxx$.For details, referring to the manual of snort.假设它们以二进制 PCAP 格式登录,那么 Wireshark 就是您的朋友。
Assuming they are logged in binary PCAP format, then Wireshark is your friend.
会将其输出到您的屏幕上。使用 tcpdump 因为它们是 pcap 格式。
Will output it to your screen. Use tcpdump since they are in pcap format.
或者,您可以使用 barnyard2 读取它们(如果它们是统一2格式)并将结果转储到数据库中。
这就是我正在做的事情。
Or you can use barnyard2 to read them if they are in unified2 format and dump the results into database.
Thats what I'm doing.
1.兄弟,首先你必须移动到snort日志文件夹。
$cd /var/log/snort
2.现在使用以下命令列出该文件夹的内容。
$ls
3.然后您可以看到如下文件(例如在我的例子中)。
4.假设如果您尝试打开此“tcpdump.log.67488231”(tcpdump.log.67488231-这是我的系统捕获的示例日志文件。因此在每种情况下它必须是不同的序列号)文件,您无法读取文件内的数据。因此,为了清楚地读取或了解文件内的内容,您可以使用以下命令。
$sudo tcpdump -r tcpdump.log.67488231
5.现在文件打开,您可以读取内容。
您可以使用下面的命令
$sudo snort -r snort.log.5637972
(snort.log.5637972 是示例文件,您可以在同一个 snort 日志文件(/var/log/snort)中找到它。作为 IDS 启动 snort 后模式我们将得到一个这样的文件为了读取这个文件使用上面的命令)
1.Bro first you have to move to the snort log folder.
$cd /var/log/snort
2.Now list the contents of the folder using the command below.
$ls
3.Then you can see files like(for example in my case) as below.
4.Suppose if you are trying to open this "tcpdump.log.67488231" (tcpdump.log.67488231- this is a sample log file capture by my system. So in each of your case it must be different sequence number) file,you can not read the data inside the file.So in order to clearly read or understand what is inside the file, you can use following command.
$sudo tcpdump -r tcpdump.log.67488231
5.Now the file open and you can read the content.
You can use the command below
$sudo snort -r snort.log.5637972
(snort.log.5637972 is the sample file you can find it inside the same snort log file( /var/log/snort). After starting snort as IDS mode we will get a file like this. In order to read this file use the above command)