Snort mailing list archives
Re: Snort and Syslog
From: Jeremy Hoel <jthoel () gmail com>
Date: Thu, 4 Apr 2013 17:48:54 +0000
OSSEC has many rules, you can tweak them. It's not a False Positive.. it is something you might want to know, if you have no other tools telling you the data. On Thu, Apr 4, 2013 at 5:38 PM, waldo kitty <wkitty42 () windstream net> wrote:
On 4/4/2013 10:45, Josh Bitto wrote:Your probably better off asking this question in rsyslog's mail group.I've gotten a lot of help from them. or even better, report it to OSSEC so it can be fixed and not have the problems any more... one has to wonder what all the other OSSEC using sites do since this info is always posted... i just checked a live snort 2.8.something installation and it posts this info, too... i know there are folks using OSSEC who used to run snort 2.8...-----Original Message----- From: Phil Daws [mailto:uxbod () splatnix net] Sent: Thursday, April 04, 2013 5:24 AM To: snort-users () lists sourceforge net Subject: [Snort-users] Snort and Syslog Hi, When Snort starts it writes specific information to /var/log/messages eg. Apr 4 12:01:40 fw1 snort[2951]: [ Port Based Pattern Matching Memory ]Apr 4 12:01:40 fw1 snort[2951]: +- [ Aho-Corasick Summary ] -------------------------------------Apr 4 12:01:40 fw1 snort[2951]: | Storage Format : Full-Q Apr 4 12:01:40 fw1 snort[2951]: | Finite Automaton : DFA Apr 4 12:01:40 fw1 snort[2951]: | Alphabet Size : 256 Chars Apr 4 12:01:40 fw1 snort[2951]: | Sizeof State : Variable (1,2,4bytes)Apr 4 12:01:40 fw1 snort[2951]: | Instances : 294 Apr 4 12:01:40 fw1 snort[2951]: | 1 byte states : 275 Apr 4 12:01:40 fw1 snort[2951]: | 2 byte states : 19 Apr 4 12:01:40 fw1 snort[2951]: | 4 byte states : 0 Apr 4 12:01:40 fw1 snort[2951]: | Characters : 249637 How can I redirect those messages to a separate file as it plays havocwith OSSEC :) I have tried adding snort.none to rsyslog.conf for /var/log/messages and then added snort.* to direct too another file. That did not work :(Any thoughts please ?------------------------------------------------------------------------------ Minimize network downtime and maximize team effectiveness. Reduce network management and security costs.Learn how to hire the most talented Cisco Certified professionals. Visit the Employer Resources Portal http://www.cisco.com/web/learning/employer_resources/index.html _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ Minimize network downtime and maximize team effectiveness. Reduce network management and security costs.Learn how to hire the most talented Cisco Certified professionals. Visit the Employer Resources Portal http://www.cisco.com/web/learning/employer_resources/index.html
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Snort and Syslog Phil Daws (Apr 04)
- Re: Snort and Syslog Jeremy Hoel (Apr 04)
- Re: Snort and Syslog Phil Daws (Apr 04)
- Re: Snort and Syslog Jefferson, Shawn (Apr 05)
- Re: Snort and Syslog Phil Daws (Apr 04)
- Re: Snort and Syslog Josh Bitto (Apr 04)
- Re: Snort and Syslog waldo kitty (Apr 04)
- Re: Snort and Syslog Jeremy Hoel (Apr 04)
- Re: Snort and Syslog Phil Daws (Apr 04)
- Re: Snort and Syslog waldo kitty (Apr 04)
- Re: Snort and Syslog Doug Burks (Apr 04)
- Re: Snort and Syslog Phil Daws (Apr 04)
- Re: Snort and Syslog Doug Burks (Apr 04)
- Re: Snort and Syslog Phil Daws (Apr 04)
- Re: Snort and Syslog Doug Burks (Apr 04)
- Re: Snort and Syslog Phil Daws (Apr 04)
- Re: Snort and Syslog Jeremy Hoel (Apr 04)
- <Possible follow-ups>
- Re: Snort and Syslog Lay, James (Apr 04)