Re: snort, trying to get this working how i want it

[bruneau () ottawa com (Guy Bruneau)]

Keith,

To log to the syslog facility use the -s option   "Log alert messages to syslog"
and it will log it to the syslog. If you want to log it to another host, you
should specify it into the /etc/hosts file where the loghost is.

Hope this help,

Guy Bruneau

Keith Pachulski wrote:

> Archive: http://msgs.securepoint.com/ids
> FAQ: http://www.ticm.com/kb/faq/idsfaq.html
> IDS: http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
> HELP: Having problems... email questions to ids-owner () uow edu au
> NOTE: Remove this section from reply msgs otherwise the msg will bounce.
> SPAM: DO NOT send unsolicted mail to this list.
> UNSUBSCRIBE: email "unsubscribe ids" to majordomo () uow edu au
> -----------------------------------------------------------------------------
> I`m trying to get snort to log to syslog facility local6.info but it won`t
> work. if I don`t specify a logto directory it createes the directory of the
> source IP. When I do specify a logto it logs to that file
>
> output alert_syslog: LOG_LOCAL6 LOG_INFO
>
> alert icmp !$HOME_NET any -> $HOME_NET any (msg:"IDS159 - PING Microsoft
> Windows"; content:"|6162636465666768696a6b6c6d6e6f70|";itype:8;depth:32;)
>
> # ./snort -c ruletest
>
> Initializing Network Interface...
>    => Decoding Ethernet on interface eth0
> Initializing Preprocessors!
> Initializing Plug-ins!
> Initializating Output Plugins!
>
> Segmentation fault
>
> problem two, when I try to use the resp command it crashes with -> ERROR:
> ruletest (10) => Unknown keyword "resp" in rule!
> alert tcp any any -> $HOME_NET 21 (msg:"IDS213 - FTP-Password Retrieval";
> content:"passwd"; flags: AP; resp: rst_all;)