RE: Snort, Syslog, and alert.ids

From: McCammon, Keith (Keith.McCammon@eadvancemed.com)
Date: 07/27/01 

Message-ID: <BB7FD4FF9E440648A731452E5D341FB0654387@hitsexchange01.advance-med.com>
From: "McCammon, Keith" <Keith.McCammon@eadvancemed.com>
To: "'focus-ids@securityfocus.com'" <focus-ids@securityfocus.com>
Subject: RE: Snort, Syslog, and alert.ids
Date: Fri, 27 Jul 2001 16:59:36 -0400

Thanks, as always, for the help. Here's what I've come up with:

ruletype sysalert
 {
   type alert
   output alert_syslog: LOG_AUTH LOG_ALERT
   output alert_full: alert.ids
 }

I removed the "-A full" and "-s 192.168.7.X:514" switches from the command
line so that they don't override anything in snort.conf.

A few things to follow up:

1) Do rules that I want to be alert.ids'd *and* syslog'd needs to have
"alert" replaced by "sysalert" in the definitions? EX: sysalert tcp any 23
-> $HOME_NET any.

2) While alerts are getting written to alert.ids just fine, I can't seem to
figure out how to specify the location of my syslog server in the absence of
-s (since W2K has no syslog functionality native). Snort initializes just
fine, I suppose because the rule type is written correctly. But it doesn't
know where to send syslog alerts.

Thanks again.

-----Original Message-----
From: Martin Roesch [mailto:roesch@sourcefire.com]
Sent: Friday, July 27, 2001 3:47 PM
To: McCammon, Keith
Cc: 'focus-ids@securityfocus.com'
Subject: Re: Snort, Syslog, and alert.ids

Use the snort.conf file and define both alert types:

output alert_syslog: ...
output alert_full: ...

Be sure not to specify a command line option for alerting, it'll
override what you specify in the snort.conf file.

     -Marty

"McCammon, Keith" wrote:
>
> Hello all,
>
> This will be quick...
>
> I'm running a new instance of Snort on a W2K box. Is there a fast and
dirty
> way to send messages to syslog *and* alert.ids?
>
> Keith W. McCammon 

--
Martin Roesch
roesch@sourcefire.com
http://www.sourcefire.com - http://www.snort.org

Relevant Pages

  • Re: Snort, Syslog, and alert.ids
    ... Subject: Snort, Syslog, and alert.ids ... Be sure not to specify a command line option for alerting, ... "McCammon, Keith" wrote: ...
    (Focus-IDS)
  • Re: Cisco ASA Syslog Messages
    ... syslog log files and alert us based on specific queries. ... however was not written to read Cisco syslog specifically so we have ... look for in the logs. ...
    (comp.dcom.sys.cisco)
  • Re: Cisco ASA Syslog Messages
    ... syslog log files and alert us based on specific queries. ... look for in the logs. ... take a look at some of the PIX syslog tools at ...
    (comp.dcom.sys.cisco)
  • Re: IIS and Snort
    ... Subject: IIS and Snort ... program like 'swatch' to send email alerts. ... > running snort which sends data to a mysql database. ... >> can configure output plug-ins for SQL, syslog, etc. ...
    (Focus-IDS)
  • Re: Cisco ASA Syslog Messages
    ... syslog log files and alert us based on specific queries. ... reviewing the documentation regarding the ASA/PIX syslog format and it ... look for in the logs. ...
    (comp.dcom.sys.cisco)