Snort mailing list archives
Re: can snort decode syslog traffic and feed that traffic into logsnorter
From: "Raymond Jacob" <jacob_raymond () hotmail com>
Date: Tue, 04 Dec 2001 15:49:46 +0000
From: John Sage <jsage () finchhaven com> CC: snort-users () lists sourceforge netSubject: Re: [Snort-users] can snort decode syslog traffic and feed that traffic into logsnorter
Date: Mon, 03 Dec 2001 19:06:11 -0800 Raymond: I don't believe this is refering to syslog traffic *within* one box, rather I think the idea is that snort can sniff syslog traffic going from one host to another (if they are set up that way...), or from several hosts to a central logserver... ++ That was my understanding too. I am sorry that was ++ not clear in my email. Does that make any sense? ++ Yes that does. snort can output to syslog on the snort box, here's what I use: ++ I must not have been very clear in my original email. ++ So I will try again. As the article I mentioned says: ++ you can use a packet capture tool to do stealth logging ++ of syslog messages sent from a host or a router. ++ I thought in order to do this there would exist a ++ filter that could capture the syslog traffic from the ++ the network and output that traffic to a log file that ++ logsnorter could use as input to an ids console that ++ would corelate events from your router, host, or firewall. ++ For example: As a Network Security person if I saw a alot ++ nimda activity. I would like to know that my router is ++ blocking the majority of the traffic. If a user has ++ deployed a new application or DNS or MTA, and has not ++ recieved approval then I will know about it a week or ++ two before instead of Friday at 3:00pm ;-). ++ Lastly, you only have eight[0-7] local facilities in syslog. ++ With a stealth logger theoretically since I would be ++ logging based on ip addresses I could log activity from ++ more than eight devices on server in my DMZ, trusted network, ++ untrusted network. I hope that clarifies what I am looking ++ to do. ++ ++ Respectfully, ++ Raymond ++ My question is does such a filter exist? ++ I have not read my daily digest yet so the answer may ++ already be there. # output alert_syslog: LOG_AUTH LOG_ALERT output alert_syslog: LOG_DAEMON LOG_ALERT # as from RELEASE As to "logsnorter", I know not... HTH.. - John Raymond Jacob wrote:
I am a lurker and I appologize in advance. I was looking through my December 2001 Linux Journal and on page 34 there are few paragraphs on setting up a stealth logserver by Lance Spitzner of the honeynet project(www.honeynet.org). He suggests:... It is not necessary for a central logserver... to have an IP address; the logserver passively can sniff the log messages via snort or some other packet sniffer... In addition, to configure each DMZ host's syslog.conf file to log to the bogus IP, you'll also need a bougus ARP entry on each sending host. Question: The above makes sense to me. The only part I was not aware of was snort's ability to capture syslog traffic and output that traffic into a syslog messages file? Has anyone written a plugin, if that is the correct word, to do this already? I would assume that logsnorter would be able to convert the cisco and netfilter denials into snort events. Again, I appologize in advance if this question demonstrates my ignorance. Raymond
_________________________________________________________________ Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- can snort decode syslog traffic and feed that traffic into logsnorter Raymond Jacob (Dec 03)
- Re: can snort decode syslog traffic and feed that traffic into logsnorter John Sage (Dec 03)
- Re: can snort decode syslog traffic and feed that traffic into logsnorter Jason Haar (Dec 03)
- <Possible follow-ups>
- Re: can snort decode syslog traffic and feed that traffic into logsnorter Raymond Jacob (Dec 04)
- Re: can snort decode syslog traffic and feed that traffic into logsnorter John Sage (Dec 04)