Snort mailing list archives
Re: Snort and Syslog
From: "Jefferson, Shawn" <Shawn.Jefferson () bcferries com>
Date: Fri, 5 Apr 2013 16:30:55 -0600
It’s actually pretty easy to suppress these in OSSEC. I have a couple rules, but the one I use for ignoring these
syslog events that trigger OSSEC rule id 1002 (error somewhere in the system):
<rule id="101000" level="0">
<if_sid>1002</if_sid>
<program_name>^snort</program_name>
<match>Check for Bounce Attacks:|Bad Message Direction Alert:|Bad Payload Size Alert:|Bad Chk Sum:|Bad TTL:|Bad
autodetects:|Bad handshakes:</match>
<description>Ignoring syslog events from snort startup</description>
</rule>
From: Phil Daws [mailto:uxbod () splatnix net]
Sent: Thursday, April 04, 2013 11:50 AM
To: Jeremy Hoel
Cc: snort-users () lists sourceforge net
Subject: Re: [Snort-users] Snort and Syslog
Hi Jeremy,
How many rules would be require in OSSEC to suppress those entries! ;) The issue is how to make Snort write to a
different file than syslog. I do not wish to suppress the Snort info just redirect to a different file so that I can
pick the juicy bits out to monitor. Appreciate the input.
Thanks.
________________________________
From: "Jeremy Hoel" <jthoel () gmail com<mailto:jthoel () gmail com>>
To: "Phil Daws" <uxbod () splatnix net<mailto:uxbod () splatnix net>>
Cc: snort-users () lists sourceforge net<mailto:snort-users () lists sourceforge net>
Sent: Thursday, 4 April, 2013 4:45:24 PM
Subject: Re: [Snort-users] Snort and Syslog
In OSSEC make a local rule to ignore the file and the process?
Or setup snort to not output to syslog..
and you might try running snort with the '-q' flag and see if it's quieter in the logs.
On Thu, Apr 4, 2013 at 12:23 PM, Phil Daws <uxbod () splatnix net<mailto:uxbod () splatnix net>> wrote:
Hi,
When Snort starts it writes specific information to /var/log/messages eg.
Apr 4 12:01:40 fw1 snort[2951]: [ Port Based Pattern Matching Memory ]
Apr 4 12:01:40 fw1 snort[2951]: +- [ Aho-Corasick Summary ] -------------------------------------
Apr 4 12:01:40 fw1 snort[2951]: | Storage Format : Full-Q
Apr 4 12:01:40 fw1 snort[2951]: | Finite Automaton : DFA
Apr 4 12:01:40 fw1 snort[2951]: | Alphabet Size : 256 Chars
Apr 4 12:01:40 fw1 snort[2951]: | Sizeof State : Variable (1,2,4 bytes)
Apr 4 12:01:40 fw1 snort[2951]: | Instances : 294
Apr 4 12:01:40 fw1 snort[2951]: | 1 byte states : 275
Apr 4 12:01:40 fw1 snort[2951]: | 2 byte states : 19
Apr 4 12:01:40 fw1 snort[2951]: | 4 byte states : 0
Apr 4 12:01:40 fw1 snort[2951]: | Characters : 249637
How can I redirect those messages to a separate file as it plays havoc with OSSEC :) I have tried adding snort.none to
rsyslog.conf for /var/log/messages and then added snort.* to direct too another file. That did not work :(
Any thoughts please ?
------------------------------------------------------------------------------
Minimize network downtime and maximize team effectiveness.
Reduce network management and security costs.Learn how to hire
the most talented Cisco Certified professionals. Visit the
Employer Resources Portal
http://www.cisco.com/web/learning/employer_resources/index.html
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net<mailto:Snort-users () lists sourceforge net>
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ Minimize network downtime and maximize team effectiveness. Reduce network management and security costs.Learn how to hire the most talented Cisco Certified professionals. Visit the Employer Resources Portal http://www.cisco.com/web/learning/employer_resources/index.html
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Snort and Syslog Phil Daws (Apr 04)
- Re: Snort and Syslog Jeremy Hoel (Apr 04)
- Re: Snort and Syslog Phil Daws (Apr 04)
- Re: Snort and Syslog Jefferson, Shawn (Apr 05)
- Re: Snort and Syslog Phil Daws (Apr 04)
- Re: Snort and Syslog Josh Bitto (Apr 04)
- Re: Snort and Syslog waldo kitty (Apr 04)
- Re: Snort and Syslog Jeremy Hoel (Apr 04)
- Re: Snort and Syslog Phil Daws (Apr 04)
- Re: Snort and Syslog waldo kitty (Apr 04)
- Re: Snort and Syslog Doug Burks (Apr 04)
- Re: Snort and Syslog Phil Daws (Apr 04)
- Re: Snort and Syslog Doug Burks (Apr 04)
- Re: Snort and Syslog Phil Daws (Apr 04)
- Re: Snort and Syslog Doug Burks (Apr 04)
- Re: Snort and Syslog Phil Daws (Apr 04)
- Re: Snort and Syslog Jeremy Hoel (Apr 04)
- <Possible follow-ups>
- Re: Snort and Syslog Lay, James (Apr 04)