[syslog-ng] loop caused by syslog-ng filter

Adam Richter Sub-Zero-1 at gmx.at
Thu Mar 20 09:22:49 CET 2008 

Hi!

First off, sorry for my poor english!
I have a problem with a loop caused by syslog-ng v. 2.0.8.  I have set up Snort as an IDS System. Snort writes its messages in unified-format to /var/log/snort/snort.alert and /var/log/snort/snort.log. There are two Barnyard processes which read the unified files and convert it to messages that syslog and MySQL understand. Syslog-ng  writes the messages to /var/log/auth.log. All this is working fine. Now, I want to set up a filter for Priority 1 alerts. This alert should be send to the Administrator.

I used following filter for syslog-ng:

source src {unix-stream("/dev/log"); internal();}; 
destination email{program("/usr/local/bin/alert_mail.sh");}; 
filter high {match("[Priority: 1]");}; 
log {source(src);filter(high); destination(email);};


The alert_mail.sh:

#!/bin/sh 
cat << EOF | mail -s "High Priority Snort Alert" Sub-Zero at xxx.de 
Alert, Priority 1 
EOF


Then I use Nessus to cause some alerts with Priority 1. I can see 4 alerts with the Priority 1 with BASE and in /var/log/auth.log.

Syslog-ng recognises the alert with Priority 1 and activates the script /usr/local/bin/alert_mail.sh

All this is working, but the script is restarted by syslog-ng again an again. 

Extract from /var/log/messages:

Mar 18 15:46:16 Sensor1 syslog-ng[5191]: Child program exited, restarting; cmdline='/usr/local/bin/alert_mail.sh ', status='0'
Mar 18 15:46:16 Sensor1 syslog-ng[5191]: Starting destination program; cmdline='/usr/local/bin/alert_mail.sh '
Mar 18 15:46:16 Sensor1 syslog-ng[5191]: Closing log writer fd; fd='11'
Mar 18 15:46:16 Sensor1 syslog-ng[5191]: Child program exited, restarting; cmdline='/usr/local/bin/alert_mail.sh ', status='0'
Mar 18 15:46:16 Sensor1 syslog-ng[5191]: Starting destination program; cmdline='/usr/local/bin/alert_mail.sh '
Mar 18 15:46:16 Sensor1 syslog-ng[5191]: Child program exited, restarting; cmdline='/usr/local/bin/alert_mail.sh ', status='0'
Mar 18 15:46:16 Sensor1 syslog-ng[5191]: Starting destination program; cmdline='/usr/local/bin/alert_mail.sh '
…
Mar 18 15:42:00 Sensor1 syslog-ng[17354]: Child program exited, restarting; cmdline='/usr/local/bin/alert_mail.sh ', status='256'
Mar 18 15:42:00 Sensor1 syslog-ng[17354]: Starting destination program; cmdline='/usr/local/bin/alert_mail.sh '
Mar 18 15:42:00 Sensor1 syslog-ng[17354]: Child program exited, restarting; cmdline='/usr/local/bin/alert_mail.sh ', status='256'
Mar 18 15:42:00 Sensor1 syslog-ng[17354]: Starting destination program; cmdline='/usr/local/bin/alert_mail.sh '
Mar 18 15:42:00 Sensor1 syslog-ng[17354]: Child program exited, restarting; 

…


I get thousands of mails per minute till I stop syslog-ng. 

Output of /var/log/auth.log(so y see that syslog-ng writes snort/barnyard messages correctly to auth.log):

Mar 19 13:56:54 src at Sensor1 barnyard: [1:1394:8] SHELLCODE x86 NOOP [Classification: Executable code was detected] [Priority: 1] {UDP} 172.25.1.152:4758 -> 172.28.100.10:137
Mar 19 13:57:13 src at Sensor1 barnyard: [1:1446:8] SMTP vrfy root [Classification: Attempted Information Leak] [Priority: 2] {TCP} 172.25.1.152:1085 -> 172.28.100.10:25
Mar 19 13:57:13 src at Sensor1 barnyard: [1:660:11] SMTP expn root [Classification: Attempted Information Leak] [Priority: 2] {TCP} 172.25.1.152:1085 -> 172.28.100.10:25
Mar 19 13:57:22 src at Sensor1 barnyard: [1:12626:2] Snort Alert [1:12626:0] [Classification: Decode of an RPC Query] [Priority: 2] {UDP} 172.25.1.152:1146 -> 172.28.100.10:111
Mar 19 13:57:22 src at Sensor1 barnyard: [1:585:9] RPC portmap sadmind request UDP [Classification: Decode of an RPC Query] [Priority: 2] {UDP} 172.25.1.152:1146 -> 172.28.100.10:111
Mar 19 13:57:24 src at Sensor1 barnyard: [1:566:6] POLICY PCAnywhere server response [Classification: Misc activity] [Priority: 3] {UDP} 172.25.1.152:1155 -> 172.28.100.10:5632
Mar 19 15:11:27 src at Sensor1 barnyard: [122:1:0] portscan: TCP Portscan [Classification: Unknown] [Priority: 3] {PROTO255} 172.25.1.152 -> 172.28.100.10
Mar 19 15:11:58 src at Sensor1 barnyard: [1:1420:13] SNMP trap tcp [Classification: Attempted Information Leak] [Priority: 2] {TCP} 172.25.1.152:4482 -> 172.28.100.10:162
Mar 19 15:11:58 src at Sensor1 barnyard: [1:1418:13] SNMP request tcp [Classification: Attempted Information Leak] [Priority: 2] {TCP} 172.25.1.152:4482 -> 172.28.100.10:161
Mar 19 15:12:05 src at Sensor1 barnyard: [1:1421:13] SNMP AgentX/tcp request [Classification: Attempted Information Leak] [Priority: 2] {TCP} 172.25.1.152:4482 -> 172.28.100.10:705
Mar 19 15:12:16 src at Sensor1 barnyard: [122:1:0] portscan: TCP Portscan [Classification: Unknown] [Priority: 3] {PROTO255} 172.25.1.152 -> 172.28.100.10
Mar 19 15:12:19 src at Sensor1 barnyard: [1:1394:8] SHELLCODE x86 NOOP [Classification: Executable code was detected] [Priority: 1] {UDP} 172.25.1.152:137 -> 172.28.100.10:137
Mar 19 15:12:20 src at Sensor1 barnyard: [1:1394:8] SHELLCODE x86 NOOP [Classification: Executable code was detected] [Priority: 1] {UDP} 172.25.1.152:137 -> 172.28.100.10:137
Mar 19 15:12:22 src at Sensor1 barnyard: [1:1394:8] SHELLCODE x86 NOOP [Classification: Executable code was detected] [Priority: 1] {UDP} 172.25.1.152:137 -> 172.28.100.10:137


I think it has something in common with this topic:

https://lists.balabit.hu/pipermail/syslog-ng/2006-October/009454.html

Thanks in advance!

Sub-Zero


-- 
GMX startet ShortView.de. Hier findest Du Leute mit Deinen Interessen!
Jetzt dabei sein: http://www.shortview.de/?mc=sv_ext_mf@gmx

More information about the syslog-ng mailing list