Return to
Portfolio

88. Snort

NXLog can be used to capture and process logs from the Snort network intrusion prevention system.

Snort writes log entries to the /var/log/snort/alert file. Each entry contains the date and time of the event, the packet header, a description of the type of breach that was detected, and a severity rating. Each log entry traverses multiple lines, and there is neither a fixed number of lines nor a separator.

Example 368. Snort Rules and Log Samples

Following are three example Snort rules and corresponding log messages.

Snort Rule
alert icmp any any -> any any (msg:"ICMP Packet"; sid:477; rev:3;)
Log Sample
[**] [1:477:3] ICMP Packet [**]
[Priority: 0]
04/30-07:54:41.759229 172.25.212.245 -> 172.25.212.153
ICMP TTL:64 TOS:0x0 ID:0 IpLen:20 DgmLen:96 DF
Type:8  Code:0  ID:16348   Seq:0  ECHO
Snort Rule
alert tcp any any -> any any (msg:"Exploit detected"; sid:1000001; content:"exploit";)
Log Sample
[**] [1:1000001:0] Exploit detected [**]
[Priority: 0]
04/30-07:54:38.312536 172.25.212.204:80 -> 192.168.255.110:46127
TCP TTL:64 TOS:0x0 ID:19844 IpLen:20 DgmLen:505 DF
***AP*** Seq: 0xF936BE12  Ack: 0x2C9A47D8  Win: 0x7B  TcpLen: 20
Snort Rule
alert tcp any any -> any any (msg:"Advanced exploit detected"; \
sid:1000002; content:"backdoor"; reference:myserver,myrules; \
gid:1000001; rev:1; classtype:shellcode-detect; priority:100; \
metadata:meta data;)
Log Sample
[**] [1000001:1000002:1] Advanced exploit detected [**]
[Classification: Executable Code was Detected] [Priority: 100]
04/30-07:54:35.707783 192.168.255.110:46117 -> 172.25.212.204:80
TCP TTL:127 TOS:0x0 ID:14547 IpLen:20 DgmLen:435 DF
***AP*** Seq: 0x49649AA5  Ack: 0x5BC496C0  Win: 0x40  TcpLen: 20
[Xref => myserver myrules]
Example 369. Parsing Snort Logs

This configuration uses an xm_multiline extension module instance with a HeaderLine regular expression to parse the log entries. An Exec directive is also used to drop all empty lines.

In the Input module instance, another regular expression captures the parts of the message and adds corresponding fields to the event record. Additional information could be extracted also, such as Xref data, by adding (.*)\s+(.*)\s+\[Xref => (.*)\] to the expression and then $Xref = $13; below it.

Finally, the log entries are formatted as JSON with the to_json() procedure.

nxlog.conf [Download file]
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
<Extension snort>
    Module      xm_multiline
    HeaderLine  /^\[\*\*\] \[\S+] (.*) \[\*\*\]/
    Exec        if $raw_event =~ /^\s+$/ drop();
</Extension>

<Extension _json>
    Module      xm_json
</Extension>

<Input in>
    Module      im_file
    File        "/var/log/snort/alert"
    InputType   snort
    <Exec>
        if $raw_event =~ /(?x)^\[\*\*\]\ \[\S+\]\ (.*)\ \[\*\*\]\s+
                          (?:\[Classification:\ ([^\]]+)\]\ )?
                          \[Priority:\ (\d+)\]\s+
                          (\d\d).(\d\d)\-(\d\d:\d\d:\d\d\.\d+)
                          \ (\d+.\d+.\d+.\d+):?(\d+)?\ ->
                          \ (\d+.\d+.\d+.\d+):?(\d+)?\s+\ /
        {
            $EventName = $1;
            $Classification = $2;
            $Priority = $3;
            $EventTime = parsedate(year(now()) + "-" + $4 + "-" + $5 + " " + $6);
            $SourceIPAddress = $7;
            $SourcePort = $8;
            $DestinationIPAddress = $9;
            $DestinationPort = $10;
        }
    </Exec>
</Input>

<Output out>
    Module      om_file
    File        "/var/log/nxlog_snort"
    Exec        to_json();
</Output>
Output Sample
{
  "EventReceivedTime": "2014-05-05 09:08:58",
  "SourceModuleName": "in",
  "SourceModuleType": "im_file",
  "EventName": "Advanced exploit detected",
  "Classification": "Executable Code was Detected",
  "Priority": "100",
  "EventTime": "2014-04-30 07:54:35",
  "SourceIPAddress": "192.168.255.110",
  "SourcePort": "46117",
  "DestinationIPAddress": "172.25.212.204",
  "DestinationPort": "80"
}