Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
Intrusion Detection and Prevention
»
question about Suricata syslog
« previous
next »
Print
Pages: [
1
]
Author
Topic: question about Suricata syslog (Read 7144 times)
xmichielx
Newbie
Posts: 44
Karma: 0
question about Suricata syslog
«
on:
March 08, 2018, 11:23:21 am »
Hi,
I am using the latest OPNsense (18.1.3 on APU2) which works fine with Suricata.
I am using the IDS and not the IPS modus, I just want to have logging and that logging sent remotely to a rsyslog server.
I see alerts in the Alerts tab and I have set up rsyslog and selected Everything to be send to the rsyslog server.
On the rsyslog server I see a lot of firewall traffic but no suricata alerts coming through although I see them in the appearing in the Alerts.
Are alerts only logged when you use the IPS and set rules to drop? (which I don't want)
Logged
franco
Administrator
Hero Member
Posts: 17661
Karma: 1611
Re: question about Suricata syslog
«
Reply #1 on:
March 14, 2018, 06:13:01 pm »
Hi there,
Local syslog is fully functional in 18.1.4 now, but selective remote syslog must still be implemented but it shouldn't take too long.
But I think you can already send all logs to a remote location and do the filtering afterwards.
Cheers,
Franco
Logged
nines
Newbie
Posts: 46
Karma: 1
Re: question about Suricata syslog
«
Reply #2 on:
March 15, 2018, 04:53:46 pm »
Hi Franco,
I'cant confirm syslog is working correctly as stated here:
https://forum.opnsense.org/index.php?topic=7402.15
There are still IPS alerts not shown in the local syslog nor in the remote destination - they only appear in eve.json unfortunately
Logged
xmichielx
Newbie
Posts: 44
Karma: 0
Re: question about Suricata syslog
«
Reply #3 on:
October 11, 2018, 04:43:33 pm »
Small necro bump but this still occurs, for example I have these 2 entries (OPNsense 18.7.4 AMD64):
2018-10-11T15:08:06.596797+0200 blocked LAN 118.123.15.142 52566 192.168.1.25 22 ET SCAN Potential SSH Scan
2018-10-11T15:03:13.485746+0200 blocked LAN 192.168.1.116 47408 62.112.238.55 80 ET TROJAN Zberp receiving conf..
Which I find back in my syslog file on the remote syslog server;
root@bananapi:~# grep 'ET SCAN' /var/log/syslog | grep '15:08'
Oct 11 15:08:06 vuurmuur.protegam.lan suricata[46424]: [Drop] [1:2001219:20] ET SCAN Potential SSH Scan [Classification: Attempted Information Leak] [Priority: 2] {TCP} 118.123.15.142:52566 -> 192.168.1.25:22
When I search for the TROJAN entry:
root@bananapi:~# grep -c 'TROJAN' /var/log/syslog
0
So the TROJAN entry never entered the rsyslog server..which is pretty annoying since it is about a potential TROJAN being active on my network, the SSH SCAN noise I could care less for but the TROJAN is very important for me to detect and act upon.
I have set up Monit to alert on found TROJAN, MALWARE, WORM in /var/log/syslog so it would be nice if all Suricata alerts are being sent to the rsyslog server.
Can I troubleshoot this to see why it hasn't been sent?
«
Last Edit: October 11, 2018, 04:45:20 pm by xmichielx
»
Logged
xmichielx
Newbie
Posts: 44
Karma: 0
Re: question about Suricata syslog
«
Reply #4 on:
October 12, 2018, 07:06:09 pm »
Also created
https://github.com/opnsense/core/issues/2809
for this issue not sure if it is a bug or a works as expected.
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
Intrusion Detection and Prevention
»
question about Suricata syslog
