Snort mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Snort ---> syslog

From: "Don" <Don () WeberOnTheWeb com>
Date: Fri, 21 Jun 2002 08:36:15 -0700
can you give me an example of what the ALERT would be as far as difference
btwn alerting to syslog, and alerting to anything else. i mean, as i
understand, the ALERT in and of itself, contains just what is btwn the
quotes on the alert line itself that states the message to be used, what
other alert message is there that any other logging mechanism would provide.
example,
using sql.rules one line is

alert tcp $SQL_SERVERS 139 -> $EXTERNAL_NET any (msg:"MS-SQL/SMB sa login
failed"; content: "Login failed for user |27|sa|27|"; flags:A+; offset:83;
classtype:attempted-user; sid:680; rev:3;)

when there is a failed login, that triggers that specific rule the alert
sent to syslog server is

   snort[1152]: [1:688:3] MS-SQL sa login failed [Classification:
Unsuccessful User Privilege Gain] [Priority: 1]: {TCP} xx.xx.xx.xx:1433 ->
216.154.205.87:2405

 are you telling me by saying "You will get a lot more information from the
console manager you are using." that I will get some other message by using
any other logging method? if so, what other message would that be, and by
what method being used?

Don



-----Original Message-----
From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net]On Behalf Of Michael
Steele
Sent: Friday, June 21, 2002 7:44 AM
To: 'spy'
Cc: snort-users () lists sourceforge net
Subject: RE: [Snort-users] Snort ---> syslog


Spyguy,

When you select Syslog you get 1 line of alert and that line is limited
to a number of characters. You will get a lot more information from the
console manager you are using.

You can use spade to do correlations, and there are others.

You can send the Syslog to a remote Syslog server, and use Swatch to
email alerts, this is the way to do it, or use Swatch on the local
Syslog, but of course this is *nix specific. Swatch won't run on Windows
:(

-Michael
--
Michael Steele | System Engineer / Support Technician
mailto:michaels () silicondefense com
Silicon Defense: IDS solutions - http://www.silicondefense.com
Snort: Open Source Network IDS - http://www.snort.org



-----Original Message-----
From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net] On Behalf Of spy
Sent: Wednesday, May 22, 2002 8:05 AM
To: snort-users () lists sourceforge net
Subject: [Snort-users] Snort ---> syslog

Anyone have any experience with snort logging to syslog?
I have a few questions before i 'try' it.

1) Are logs and alerts LACKING useful data that you would normally get
with
regular snort logging?

2) Are you using any correlation tools like NetForensics or something
else?

3) Can you send syslog from multiple snort sensors to one syslog server
and
run swatch? If yes, what do you like/not like about doing it this way?


Thanks in advance!
spyguy



-------------------------------------------------------
Sponsored by:
ThinkGeek at http://www.ThinkGeek.com/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users





-------------------------------------------------------
Sponsored by:
ThinkGeek at http://www.ThinkGeek.com/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users





-------------------------------------------------------
Sponsored by:
ThinkGeek at http://www.ThinkGeek.com/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: