Snort mailing list archives
syslog ? and file file ?
From: "Turnquist,Wayne" <WayneTurnquist () catholichealth net>
Date: Wed, 7 Jul 2004 23:27:39 -0500
to give some details. we connect to the internet by connecting to the corp data center along with a bunch of other hospitals. since security is becomming more of a problem because of all the virus/trojan horse i decide i need to tight our side up even tho corp has fiewalls and other security process. so i want to get snort up and running and to watch for the basic attacks.i don't what to have to constantly twitch the rules because i don't have much time since im a one man shop hear at the hospital. would the standard rules and the options for the rules that come with the installation of snort be gone enough or should i turn on some other rules that are disabled in the standard install right now i have the router to corp---->hub---->switch, where i have snort and ntop installed in the hub on 2 different pc's I start working with snort yesterday. I finely got it to at least run. i have a windows 2000 pro with all the updates i installed snort 2.1.3 and winpcap 3.0 on another win2000 pro i have kiwi syslog running i'm using the installed rules and conf except for the following changes to the installed conf var HOME_NET[10.110.96.0/24,10.110.97.0/24,10.110.99.0/24,10.110.100.0/23,10.110.102.0/24,10.110.106.0/24,10.1.1.0/24] var DNS_SERVERS [10.110.101.231/32,10.110.101.233/32] var SMTP_SERVERS [10.110.101.233/32] var SNMP_SERVERS [10.110.99.2/32,10.110.99.4/32] var RULE_PATH d:\ids\snort\rules output log_tcpdump: tcpdump.log output alert_syslog: host=10.110.99.4:514, LOG_AUTH LOG_ALERT i issue the following command at the d:\ids\snor\bin dir snort -c "d:\ids\snort\etc\snort.conf" -l d:\ids\snort\log -i 1 -d not host 10.250.24.25 it does create the alert.ids and the tcpdump file. but im not getting any syslog msg to the machine running kiwi syslog. i do have another device on the network sending msys to the syslog. so i know it can receive msg's 1)what is going wrong 2)assuming i get this to work, can i have syslog msg send to 2 different pc at the same time -------------------------------------------------------------- The next question. I want to get up and running quickly. In case of point the not host 10.250.24.25 is a solarwinds at the main corp. data center monitoring some equipment in our network. this seems to work but there is other equipment at corp that i trust and for now i would like to trust fully and at this time tight down to the actual stream the need. so my question is how can i add lets say 5 devices from corp from not generating alerts? do i create file lets say it is called ty.txt not host x not host y not host z not host g not host k then use the following snort -c "d:\ids\snort\etc\snort.conf" -l d:\ids\snort\log -i 1 -d -f "c:\ty.txt" if this is not correct, can some one tell me how to do it correctly another issue i noticed why planning around, is that my snmp severs are generating alerts when the probe the router which is 10.110.101.254 even tho i used the var to declare my snmp pc's. do i need to added this ip number to the not host file as state above. if not, what am im doing wrong thank you wt ------------------------------------------------------- This SF.Net email sponsored by Black Hat Briefings & Training. Attend Black Hat Briefings & Training, Las Vegas July 24-29 - digital self defense, top technical experts, no vendor pitches, unmatched networking opportunities. Visit www.blackhat.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- syslog ? and file file ? Turnquist,Wayne (Jul 07)