Logging snort old tutorial 2006

Hi there,

i have a little problem again, i want to install and use a IPS and IDS program to run on my APU 2.

But all the tutorials are outdated and i am stuck on logging snort. i think snort could be installed and used the same way but the logging part with nvram isnt working.
i want to solve the problem by my self but i dont now what im looking for, could someone help me on my way?

here is the tutorial: https://www.linux.com/news/snort-openwrt-guarding-soho-perimeter/
here is the nvram output: root@OpenWrt:~# nvram set log_ipaddr=<192.168.1.101> -ash: syntax error: unexpected newline root@OpenWrt:~# nvram set log_ipaddr=<192.168.1.101> -ash: syntax error: unexpected newline root@OpenWrt:~# nvram set log_ipaddr=<192.168.0.101> -ash: syntax error: unexpected newline root@OpenWrt:~# nvram set log_ipaddr=192.168.0.101 -ash: nvram: not found

thanks again in advance

did you check the official OpenWrt wiki/website? there is an article about Snort that is imho updated enough (all commands it does are modern and should work). https://openwrt.org/docs/guide-user/services/snort

afaik "nvram" is an ancient command to write config in a special memory area of routers, it's long gone in modern OpenWrt, that now acts like a more conventional Linux distro with a writable disk and files and stuff.

2 Likes

Does output alert_syslog: LOG_AUTH LOG_ALERT” log to the logger? And can I read those with the
logread utility?

Thanks for the fast response

I don't know, never used Snort, although it's likely it works like that because that's what the "syslog" is on OpenWrt.

If you are adding a software that will write many things to logs, (which as far as I understand is the case for Snort) and you want to read the logs from more than a few days in the past, you might want to set up a custom logging location.

OpenWrt's logs you read with logread are kept in memory and cleared every once in a while when the buffer is full and older entries are deleted (otherwise it would fill the ram).
This is done because you cannot write many times to onboard flash memory of a router before it goes bad.

Since you said you have a PCengines APU2, the system has USB ports so you can probably just add a USB flash drive and write the logs there. Worst case the usb drive dies and you lose logs, which is better than killing the SDcard with OpenWrt on it, or the onboard flash of a router.

see here to set up a local or remote log file https://openwrt.org/docs/guide-user/base-system/log.essentials

and here to add USB storage to OpenWrt https://openwrt.org/docs/guide-user/storage/usb-drives