Re: FW: Snort, Syslog, and alert.ids (Updated)

From: Martin Roesch (roesch@sourcefire.com)
Date: 07/27/01 

Message-ID: <3B61DF2A.6CB925C6@sourcefire.com>
Date: Fri, 27 Jul 2001 17:37:46 -0400
From: Martin Roesch <roesch@sourcefire.com>
To: "McCammon, Keith" <Keith.McCammon@eadvancemed.com>
Subject: Re: FW: Snort, Syslog, and alert.ids (Updated)

Is this on windows? If not, you need to modify your syslog.conf. If it
is on Windows, you need to mail Mike Davis (mike@datanerds.net) and ask
him how he wrote it. Also make sure your syslog server is accepting
external data...

    -Marty

"McCammon, Keith" wrote:
>
> [not sure why I even asked the first question]
>
> 2) While alerts are getting written to alert.ids just fine, I can't seem to
> figure out how to specify the location of my syslog server in the absence of
> "-s 192.168.7.X:514". Snort initializes just fine, I suppose because the
> rule type is written correctly. But it doesn't know where to send syslog
> alerts.
>
> Thanks again for the assistance.
>
> -----Original Message-----
> From: Martin Roesch [mailto:roesch@sourcefire.com]
> Sent: Friday, July 27, 2001 3:47 PM
> To: McCammon, Keith
> Cc: 'focus-ids@securityfocus.com'
> Subject: Re: Snort, Syslog, and alert.ids
>
> Use the snort.conf file and define both alert types:
>
> output alert_syslog: ...
> output alert_full: ...
>
> Be sure not to specify a command line option for alerting, it'll
> override what you specify in the snort.conf file.
>
> -Marty
>
> "McCammon, Keith" wrote:
> >
> > Hello all,
> >
> > This will be quick...
> >
> > I'm running a new instance of Snort on a W2K box. Is there a fast and
> dirty
> > way to send messages to syslog *and* alert.ids?
> >
> > Keith W. McCammon
>
> --
> Martin Roesch
> roesch@sourcefire.com
> http://www.sourcefire.com - http://www.snort.org 

--
Martin Roesch
roesch@sourcefire.com
http://www.sourcefire.com - http://www.snort.org

Quantcast