Re: [pfSense] Snort questions

2015-11-07 Thread John Johnstone 

On 11/6/15 5:47 PM, Sergii Cherkashyn wrote:


Thank you John, but it doesn't seem to work.

I can download the archive file, but inside it has Barnyard2 folder with
int.waldo files in it and three more files - int.stats, alert and some
snort_randomnumber file. none of them seems to be in pcap format and
contain the pattern of the traffic that triggered the alert.


I haven't used Barnyard2 so I'm not sure what's in there and since I 
haven't enabled it, that folder is empty in my download file.


In the tar file are files with a name snort.log.unix-timestamp.  These 
are pcap files that can be opened with something like Wireshark or 
tcpdump.  The alert files are the alerts in csv format.


This must be documented somewhere but I don't know where.  I just 
browsed through these files to figure this out.


You might already be aware of this but just in case.  The files do not 
have filename extensions so you need to explicitly open the files if you 
are looking at them under Windows or Mac OS e.g. right-click then Open 
with or start Wireshark then open the files from the File Open dialog.


-
John J.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

[pfSense] Snort questions

2015-11-06 Thread Sergii Cherkashyn 
> 2. Is there any way to see what exact traffic/pattern triggered the

> Snort Alert? I know how to find the rule description that the

> potentially harmful traffic matched, but interested to see the exact

> traffic log that triggered the alert. I'd like to have more

> information before marking it as a false positive for my environment

> and start ignoring or disable some rules.



>Snort saves the packets that triggered the alert in pcap format.  You can 
>download these from pfSense and view them with Wireshark.

>

>From Services > Snort > Alerts tab by Save or Remove Logs, click Download.

>John J.

Thank you John, but it doesn't seem to work.

I can download the archive file, but inside it has Barnyard2 folder with 
int.waldo files in it and three more files - int.stats, alert and some 
snort_randomnumber file. none of them seems to be in pcap format and contain 
the pattern of the traffic that triggered the alert.


Best regards,
Sergii Cherkashyn


___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Snort questions

2015-11-06 Thread John Johnstone 

On 11/5/2015 12:06 PM, Sergii Cherkashyn wrote:


2. Is there any way to see what exact traffic/pattern triggered the
Snort Alert? I know how to find the rule description that the
potentially harmful traffic matched, but interested to see the exact
traffic log that triggered the alert. I'd like to have more information
before marking it as a false positive for my environment and start
ignoring or disable some rules.


Snort saves the packets that triggered the alert in pcap format.  You 
can download these from pfSense and view them with Wireshark.


From Services > Snort > Alerts tab by Save or Remove Logs, click Download.

-
John J.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

[pfSense] Snort questions

2015-11-05 Thread Sergii Cherkashyn 
Hi all,

We have 2.2.4-RELEASE (amd64) with Snort 
3.2.8.2
 installed.

Two questions:

1.   What tool or what pfSense menu should we use to read the Snort 
interface statistics? The format that is available via Snort Interface - 
Interface Logs - intX.stats log file is not user friendly and it's not possible 
to get any useful information from there.

2.   Is there any way to see what exact traffic/pattern triggered the Snort 
Alert? I know how to find the rule description that the potentially harmful 
traffic matched, but interested to see the exact traffic log that triggered the 
alert. I'd like to have more information before marking it as a false positive 
for my environment and start ignoring or disable some rules.
Let me know if I can provide more details.

Best regards,
Sergii Cherkashyn


___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold