[syslog-ng] loop caused by syslog-ng filter

JUNG, Christian christian.jung at saarstahl.com
Thu Mar 20 10:32:31 CET 2008 

Hi Adam,

syslog-ng does the right thing :-).

It starts the program/script once and pipes on STDIN every log-message which matches the filter.

If your script is started, it will call mail and pipe "Alert, priority 1" to its STDIN and then exits. syslog-ng sees this and restarts it (version 2.0 or higher behave that way, see <http://www.balabit.com/dl/html/syslog-ng-admin-guide_en.html/ch09s02.html#reference_destination_program>).

For you purpose this would be better:

---8<---
#!/bin/bash

while read LINE; do
	cat <<-EOF | mail -s "High Priority Snort Alert" Sub-Zero at xxx.de 
	Alert, Priority 1 
	$LINE
	EOF
done
---8<---


bye
Chris

> 
> -----Original Message-----
> From: syslog-ng-bounces at lists.balabit.hu
> [mailto:syslog-ng-bounces at lists.balabit.hu]On Behalf Of Adam Richter
> Sent: Thursday, March 20, 2008 9:23 AM
> To: syslog-ng at lists.balabit.hu
> Subject: [syslog-ng] loop caused by syslog-ng filter
> 
> 
> Hi!
> 
> First off, sorry for my poor english!
> I have a problem with a loop caused by syslog-ng v. 2.0.8.  I 
> have set up Snort as an IDS System. Snort writes its messages 
> in unified-format to /var/log/snort/snort.alert and 
> /var/log/snort/snort.log. There are two Barnyard processes 
> which read the unified files and convert it to messages that 
> syslog and MySQL understand. Syslog-ng  writes the messages 
> to /var/log/auth.log. All this is working fine. Now, I want 
> to set up a filter for Priority 1 alerts. This alert should 
> be send to the Administrator.
> 
> I used following filter for syslog-ng:
> 
> source src {unix-stream("/dev/log"); internal();}; 
> destination email{program("/usr/local/bin/alert_mail.sh");}; 
> filter high {match("[Priority: 1]");}; 
> log {source(src);filter(high); destination(email);};
> 
> 
> The alert_mail.sh:
> 
> #!/bin/sh 
> cat << EOF | mail -s "High Priority Snort Alert" Sub-Zero at xxx.de 
> Alert, Priority 1 
> EOF
> 
> 
> Then I use Nessus to cause some alerts with Priority 1. I can 
> see 4 alerts with the Priority 1 with BASE and in /var/log/auth.log.
> 
> Syslog-ng recognises the alert with Priority 1 and activates 
> the script /usr/local/bin/alert_mail.sh
> 
> All this is working, but the script is restarted by syslog-ng 
> again an again. 
> 
> Extract from /var/log/messages:
> 
> Mar 18 15:46:16 Sensor1 syslog-ng[5191]: Child program 
> exited, restarting; cmdline='/usr/local/bin/alert_mail.sh ', 
> status='0'
> Mar 18 15:46:16 Sensor1 syslog-ng[5191]: Starting destination 
> program; cmdline='/usr/local/bin/alert_mail.sh '
> Mar 18 15:46:16 Sensor1 syslog-ng[5191]: Closing log writer 
> fd; fd='11'
> Mar 18 15:46:16 Sensor1 syslog-ng[5191]: Child program 
> exited, restarting; cmdline='/usr/local/bin/alert_mail.sh ', 
> status='0'
> Mar 18 15:46:16 Sensor1 syslog-ng[5191]: Starting destination 
> program; cmdline='/usr/local/bin/alert_mail.sh '
> Mar 18 15:46:16 Sensor1 syslog-ng[5191]: Child program 
> exited, restarting; cmdline='/usr/local/bin/alert_mail.sh ', 
> status='0'
> Mar 18 15:46:16 Sensor1 syslog-ng[5191]: Starting destination 
> program; cmdline='/usr/local/bin/alert_mail.sh '
>> Mar 18 15:42:00 Sensor1 syslog-ng[17354]: Child program 
> exited, restarting; cmdline='/usr/local/bin/alert_mail.sh ', 
> status='256'
> Mar 18 15:42:00 Sensor1 syslog-ng[17354]: Starting 
> destination program; cmdline='/usr/local/bin/alert_mail.sh '
> Mar 18 15:42:00 Sensor1 syslog-ng[17354]: Child program 
> exited, restarting; cmdline='/usr/local/bin/alert_mail.sh ', 
> status='256'
> Mar 18 15:42:00 Sensor1 syslog-ng[17354]: Starting 
> destination program; cmdline='/usr/local/bin/alert_mail.sh '
> Mar 18 15:42:00 Sensor1 syslog-ng[17354]: Child program 
> exited, restarting; 
> 
>> 
> 
> I get thousands of mails per minute till I stop syslog-ng. 
> 
> Output of /var/log/auth.log(so y see that syslog-ng writes 
> snort/barnyard messages correctly to auth.log):
> 
> Mar 19 13:56:54 src at Sensor1 barnyard: [1:1394:8] SHELLCODE 
> x86 NOOP [Classification: Executable code was detected] 
> [Priority: 1] {UDP} 172.25.1.152:4758 -> 172.28.100.10:137
> Mar 19 13:57:13 src at Sensor1 barnyard: [1:1446:8] SMTP vrfy 
> root [Classification: Attempted Information Leak] [Priority: 
> 2] {TCP} 172.25.1.152:1085 -> 172.28.100.10:25
> Mar 19 13:57:13 src at Sensor1 barnyard: [1:660:11] SMTP expn 
> root [Classification: Attempted Information Leak] [Priority: 
> 2] {TCP} 172.25.1.152:1085 -> 172.28.100.10:25
> Mar 19 13:57:22 src at Sensor1 barnyard: [1:12626:2] Snort Alert 
> [1:12626:0] [Classification: Decode of an RPC Query] 
> [Priority: 2] {UDP} 172.25.1.152:1146 -> 172.28.100.10:111
> Mar 19 13:57:22 src at Sensor1 barnyard: [1:585:9] RPC portmap 
> sadmind request UDP [Classification: Decode of an RPC Query] 
> [Priority: 2] {UDP} 172.25.1.152:1146 -> 172.28.100.10:111
> Mar 19 13:57:24 src at Sensor1 barnyard: [1:566:6] POLICY 
> PCAnywhere server response [Classification: Misc activity] 
> [Priority: 3] {UDP} 172.25.1.152:1155 -> 172.28.100.10:5632
> Mar 19 15:11:27 src at Sensor1 barnyard: [122:1:0] portscan: TCP 
> Portscan [Classification: Unknown] [Priority: 3] {PROTO255} 
> 172.25.1.152 -> 172.28.100.10
> Mar 19 15:11:58 src at Sensor1 barnyard: [1:1420:13] SNMP trap 
> tcp [Classification: Attempted Information Leak] [Priority: 
> 2] {TCP} 172.25.1.152:4482 -> 172.28.100.10:162
> Mar 19 15:11:58 src at Sensor1 barnyard: [1:1418:13] SNMP 
> request tcp [Classification: Attempted Information Leak] 
> [Priority: 2] {TCP} 172.25.1.152:4482 -> 172.28.100.10:161
> Mar 19 15:12:05 src at Sensor1 barnyard: [1:1421:13] SNMP 
> AgentX/tcp request [Classification: Attempted Information 
> Leak] [Priority: 2] {TCP} 172.25.1.152:4482 -> 172.28.100.10:705
> Mar 19 15:12:16 src at Sensor1 barnyard: [122:1:0] portscan: TCP 
> Portscan [Classification: Unknown] [Priority: 3] {PROTO255} 
> 172.25.1.152 -> 172.28.100.10
> Mar 19 15:12:19 src at Sensor1 barnyard: [1:1394:8] SHELLCODE 
> x86 NOOP [Classification: Executable code was detected] 
> [Priority: 1] {UDP} 172.25.1.152:137 -> 172.28.100.10:137
> Mar 19 15:12:20 src at Sensor1 barnyard: [1:1394:8] SHELLCODE 
> x86 NOOP [Classification: Executable code was detected] 
> [Priority: 1] {UDP} 172.25.1.152:137 -> 172.28.100.10:137
> Mar 19 15:12:22 src at Sensor1 barnyard: [1:1394:8] SHELLCODE 
> x86 NOOP [Classification: Executable code was detected] 
> [Priority: 1] {UDP} 172.25.1.152:137 -> 172.28.100.10:137
> 
> 
> I think it has something in common with this topic:
> 
> https://lists.balabit.hu/pipermail/syslog-ng/2006-October/009454.html
> 
> Thanks in advance!
> 
> Sub-Zero
> 
> 
> -- 
> GMX startet ShortView.de. Hier findest Du Leute mit Deinen Interessen!
> Jetzt dabei sein: http://www.shortview.de/?mc=sv_ext_mf@gmx
> ______________________________________________________________
> ________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: 
http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.campin.net/syslog-ng/faq.html

More information about the syslog-ng mailing list