snort not logging full output to syslog
You are likely seeing everything that you can actually see. Snort operates much like an anti-virus application. You provide it a list of signatures that indicate badness (the rules files) and whenever the Snort sees a traffic pattern that matches said signature, it throws an alert. The information you receive for each alert is configured by the rule author. For example, let's look at the following alert
[1:2013497:2] ET TROJAN MS Terminal Server User A Login, possible Morto inbound [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 10.15.253.22:3254 -> 192.168.100.15:3389
Right, so we know
- 4-tuple that identifies the network connection, (10.15.253.22:3254 -> 192.168.100.15:3389)
- a description that explains what this alert means (the bit about Morto)
- and the rule ID (2013497)
Now, let's look at the actual rule that triggered this.
alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 (msg:"ET TROJAN MS Terminal Server User A Login, possible Morto inbound"; flow:to_server,established; content:"|03 00 00|"; depth:3; content:"|e0 00 00 00 00 00|"; offset:5; depth:6; content:"Cookie|3a| mstshash=a|0d 0a|"; nocase; reference:cve,CAN-2001-0540; classtype:protocol-command-decode; sid:2013497; rev:2;)
We can see that the descriptive text that we get alerted on is in the msg field. That is really just a free-text field that is used by the rule author to let us know what's going on. When syslogging an alert the Snort application only logs this information. That is, you won't get anything else. Now, I think that you're after is the reference, CAN-2001-0540.
What you need to look at are some of the additional programs that operate with Snort. There are a number of them that have existed for years. The two projects that immediately spring to my mind are Snorby and BASE. Setting up either one of them will increased the complexity of your environment, but it may be worth it.