Bug#862185: snort: Logs truncated at startup

[Javier Fernandez-Sanguino]

tag 862185 wontfix moreinfo
thanks

Dear Matthew,

On Tue, 9 May 2017 at 17:06, Mattthew Gabeler-Lee 
wrote:

> The default (and recommended even by UPSTREAM) configuration for snort
> logging has the "nostamp" flag on the logging configurations.
>

The default configuration in Debian already  uses  nostamp as you can see
in the /etc/snort/snort.conf configuration file:

output unified2: filename snort.log, limit 128, nostamp, mpls_event_types,
vlan_event_types
output alert_unified2: filename snort.alert, limit 128, nostamp

However, with this option on the log files are still truncated. The nostamp
option is not very well documented nor in the manual nor in the
README.unified2 document (available in the package and also here:
https://www.snort.org/faq/readme-unified2). However, as you can see looking
at the source code (more specifically in src/output-plugins/spo_unified2.c)
this option actually seems to not include timestamps in the *names* of the
logfiles created:

   304 if (!config->nostamp)
305 {
306 if (SnortSnprintf(filepath, sizeof(filepath), "%s.%u",
307   config->filepath, config->timestamp) !=
SNORT_SNPRINTF_SUCCESS)
308 {
309 FatalError("%s(%d) Failed to copy unified2 file
path.\n",
310__FILE__, __LINE__);
311 }
312
313 fname_ptr = filepath;
314 }

As far as I am aware there is no option to prevent truncation of the log
files when (re)starting Snort. The only option would be to configure
timestamp in the logfiles (so that new logfiles are created with a
different filename), but enabling that would then break the snort-stat
script as well as the logrotation mechanisms currently defined in the
package.

I'm setting this bug initially as wontfix and will consider it closing it
in the future unless an option is provided. For example, the spo_unified2.c
code could be modified to append to the desired file instead of overwriting
it, but I feel this should be handled upstream.

Of course, as a workaround, users can remove the 'nostamp' option from the
configuration and adjust their logrotate setup to cater with files with
timestamps.

Best regards


Javier

Bug#862185: snort: Logs truncated at startup

[Mattthew Gabeler-Lee]

Package: snort
Version: 2.9.7.0-5
Severity: important

The default (and recommended even by UPSTREAM) configuration for snort
logging has the "nostamp" flag on the logging configurations.

Which means that every time you start snort, it truncates your logfile.

This is a BRILLIANT configuration default and recommendation for security
software! /s

-- System Information:
Debian Release: 9.0
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64
 (x86_64)

Kernel: Linux 4.9.0-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages snort depends on:
ii  adduser  3.115
ii  debconf [debconf-2.0]1.5.60
ii  libc62.24-10
ii  libdaq2  2.0.4-3+b1
ii  libdumbnet1  1.12-7+b1
ii  liblzma5 5.2.2-1.2+b1
ii  libpcap0.8   1.8.1-3
ii  libpcre3 2:8.39-3
ii  logrotate3.11.0-0.1
ii  net-tools1.60+git20161116.90da8a0-1
ii  rsyslog [system-log-daemon]  8.24.0-1
ii  snort-common 2.9.7.0-5
ii  snort-common-libraries   2.9.7.0-5
ii  snort-rules-default  2.9.7.0-5
ii  zlib1g   1:1.2.8.dfsg-5

Versions of packages snort recommends:
ii  iproute2  4.9.0-1

Versions of packages snort suggests:
pn  snort-doc  

-- Configuration Files:
/etc/default/snort changed [not included]

-- debconf information excluded