Snort mailing list archives
Re: Windows Event Log & alert.ids
From: "Scot Scot" <scotw () hotmail com>
Date: Sat, 18 Oct 2003 11:02:48 -0500
----- Original Message ----- From: "grant" <grant () macaulayconsultants co uk> To: <snort-users () lists sourceforge net> Sent: Thursday, October 16, 2003 7:45 AM Subject: [Snort-users] Windows Event Log & alert.idsDoes anybody know if it is possible to run the -E option to write eventsand log as normal to the alert.ids file? This will allow me to alert
through
BMC patrol and also provide reports and invasion response via snortsnarf.Thanks Grant
<snip>
From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net]On Behalf Of Scot Scot Sent: 16 October 2003 22:36 To: grant; snort-users () lists sourceforge net Subject: Re: [Snort-users] Windows Event Log & alert.ids Try this: Place either of these lines in the snort.conf file under your output
plugins
configuration. You may want to use alert_fast for snortsnarf & ACID stuff. output alert_full: alert.ids output alert_fast: alert.ids Scot Wiedenfeld Just my 2.0134 cents worth (tax included)
<snip> From: "grant" <grant () macaulayconsultants co uk> To: <snort-users () lists sourceforge net> Sent: Thursday, October 16, 2003 6:10 PM Subject: RE: [Snort-users] Windows Event Log & alert.ids
When I use the -E option it overrides any output options. Thanks Grant
<snip> Instead of using the -E option from the command line specify "output alert_syslog: LOG_AUTH LOG_ALERT" in your snort.conf file. This string is the equivilent to the -E option. Below is a snipit from the snort.conf file: # [Win32 can use any of these formats...] # On NT this will log to the Application Eventlog, use this instead of the -E cmd shell option output alert_syslog: LOG_AUTH LOG_ALERT # This will create the alert.ids file, use this instead of the -A Full cmd shell option output alert_full: alert.ids Scot Wiedenfeld Just my 2.0134 cents worth (tax included) ------------------------------------------------------- This SF.net email sponsored by: Enterprise Linux Forum Conference & Expo The Event For Linux Datacenter Solutions & Strategies in The Enterprise Linux in the Boardroom; in the Front Office; & in the Server Room http://www.enterpriselinuxforum.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Windows Event Log & alert.ids grant (Oct 16)
- Re: Windows Event Log & alert.ids Scot Scot (Oct 16)
- <Possible follow-ups>
- Windows Event Log & alert.ids grant (Oct 16)
- RE: Windows Event Log & alert.ids grant (Oct 16)
- Re: Windows Event Log & alert.ids Scot Scot (Oct 18)