FW: Snort, Syslog, and alert.ids (Updated)

From: McCammon, Keith (Keith.McCammon@eadvancemed.com)
Date: 07/27/01 

Message-ID: <BB7FD4FF9E440648A731452E5D341FB065438A@hitsexchange01.advance-med.com>
From: "McCammon, Keith" <Keith.McCammon@eadvancemed.com>
To: "'focus-ids@securityfocus.com'" <focus-ids@securityfocus.com>
Subject: FW: Snort, Syslog, and alert.ids (Updated)
Date: Fri, 27 Jul 2001 17:12:14 -0400

[not sure why I even asked the first question]

2) While alerts are getting written to alert.ids just fine, I can't seem to
figure out how to specify the location of my syslog server in the absence of
"-s 192.168.7.X:514". Snort initializes just fine, I suppose because the
rule type is written correctly. But it doesn't know where to send syslog
alerts.

Thanks again for the assistance.

-----Original Message-----
From: Martin Roesch [mailto:roesch@sourcefire.com]
Sent: Friday, July 27, 2001 3:47 PM
To: McCammon, Keith
Cc: 'focus-ids@securityfocus.com'
Subject: Re: Snort, Syslog, and alert.ids

Use the snort.conf file and define both alert types:

output alert_syslog: ...
output alert_full: ...

Be sure not to specify a command line option for alerting, it'll
override what you specify in the snort.conf file.

     -Marty

"McCammon, Keith" wrote:
>
> Hello all,
>
> This will be quick...
>
> I'm running a new instance of Snort on a W2K box. Is there a fast and
dirty
> way to send messages to syslog *and* alert.ids?
>
> Keith W. McCammon 

--
Martin Roesch
roesch@sourcefire.com
http://www.sourcefire.com - http://www.snort.org

Relevant Pages

  • Re: Snort, Syslog, and alert.ids
    ... Subject: Snort, Syslog, and alert.ids ... Be sure not to specify a command line option for alerting, ... "McCammon, Keith" wrote: ...
    (Focus-IDS)
  • RE: New scanner?
    ... your Snort is likely to see hundreds ... >718 alerts consisting of the following: ... >1 instances of WEB-IIS multiple decode attempt ... >and tracking system please see: http://aris.securityfocus.com ...
    (Incidents)
  • Re: lots of port 0 scannings
    ... You don't say how these alerts were generated, but it looks like Snort, ... Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the ... Training features 6 hand-on courses on May 12-13 taught by professionals. ...
    (Incidents)
  • Re: Snort false positive[Scanned]
    ... I get the exact alerts on the network I administer simply because I haven't ... "tuned" the Snort box to the network environment. ...
    (Focus-IDS)
  • Re: Sending Event Alerts by AD Group
    ... you go through the process of creating a Meeting Workspace, ... I used to think that alerts were only at list level but then it was shown ... specify each entry for a particular team and then specify that alert for the ... calendar with events that correspond to groups in my site. ...
    (microsoft.public.sharepoint.windowsservices)
Quantcast