Re: can snort decode syslog traffic and feed that traffic into logsnorter

["Raymond Jacob" <jacob_raymond () hotmail com>]

From: John Sage <jsage () finchhaven com>
CC: snort-users () lists sourceforge net
Subject: Re: [Snort-users] can snort decode syslog traffic and feed that 
traffic into logsnorter
Date: Mon, 03 Dec 2001 19:06:11 -0800

Raymond:

I don't believe this is refering to syslog traffic *within* one box,
rather I think the idea is that snort can sniff syslog traffic going
from one host to another (if they are set up that way...), or from
several hosts to a central logserver...
++ That was my understanding too. I am sorry that was
++ not clear in my email.
Does that make any sense?
++ Yes that does.
snort can output to syslog on the snort box, here's what I use:
++ I must not have been very clear in my original email.
++ So I will try again. As the article I mentioned says:
++ you can use a packet capture tool to do stealth logging
++ of syslog messages sent from a host or a router.
++ I thought in order to do this there would exist a
++ filter that could capture the syslog traffic from the
++ the network and output that traffic to a log file that
++ logsnorter could use as input to an ids console that
++ would corelate events from your router, host, or firewall.
++ For example: As a Network Security person if I saw a alot
++ nimda activity. I would like to know that my router is
++ blocking the majority of the traffic. If a user has
++ deployed a new application or DNS or MTA, and has not
++ recieved approval then I will know about it a week or
++ two before instead of Friday at 3:00pm ;-).
++ Lastly, you only have eight[0-7] local facilities in syslog.
++ With a stealth logger theoretically since I would be
++ logging based on ip addresses I could log activity from
++ more than eight devices on server in my DMZ, trusted network,
++ untrusted network. I hope that clarifies what I am looking
++ to do.
++
++ Respectfully,
++ Raymond
++ My question is does such a filter exist?
++ I have not read my daily digest yet so the answer may
++ already be there.
# output alert_syslog: LOG_AUTH LOG_ALERT
output alert_syslog: LOG_DAEMON LOG_ALERT
# as from RELEASE


As to "logsnorter", I know not...

HTH..

- John

Raymond Jacob wrote:

> I am a lurker and I appologize in advance.
> I was looking through my December 2001
> Linux Journal and on page 34 there
> are few paragraphs on setting up
> a stealth logserver by Lance Spitzner
> of the honeynet project(www.honeynet.org).
> He suggests:...
>  It is not necessary for a central
>  logserver... to have an IP address;
>  the logserver passively can sniff
>  the log messages via snort or
>  some other packet sniffer...
>  In addition, to configure each
>  DMZ host's syslog.conf file to
>  log to the bogus IP, you'll also
>  need a bougus ARP entry on each
>  sending host.
>
> Question: The above makes sense to me.
> The only part I was not aware of was
> snort's ability to capture syslog
> traffic and output that traffic
> into a syslog messages file? Has
> anyone written a plugin, if that
> is the correct word, to do this
> already? I would assume that
> logsnorter would be able to
> convert the cisco and netfilter denials
> into snort events.
>
> Again, I appologize in advance if this
> question demonstrates my ignorance.
> Raymond





_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users