Re: can snort decode syslog traffic and feed that traffic into logsnorter

[John Sage <jsage () finchhaven com>]

Raymond:

Raymond Jacob wrote:

> From: John Sage <jsage () adsfasdf com>
> CC: snort-users () lists sourceforge net
> Subject: Re: [Snort-users] can snort decode syslog traffic and feed that 
> traffic into logsnorter
> Date: Mon, 03 Dec 2001 19:06:11 -0800
>
> Raymond:
>
> I don't believe this is refering to syslog traffic *within* one box,
> rather I think the idea is that snort can sniff syslog traffic going
> from one host to another (if they are set up that way...), or from
> several hosts to a central logserver...
> ++ That was my understanding too. I am sorry that was
> ++ not clear in my email.


Just wanted to make sure *I* knew what you were talking about ;-)


> Does that make any sense?
> ++ Yes that does.
> snort can output to syslog on the snort box, here's what I use:
> ++ I must not have been very clear in my original email.
> ++ So I will try again. As the article I mentioned says:
> ++ you can use a packet capture tool to do stealth logging
> ++ of syslog messages sent from a host or a router.
> ++ I thought in order to do this there would exist a
> ++ filter that could capture the syslog traffic from the
> ++ the network and output that traffic to a log file that
> ++ logsnorter could use as input to an ids console that
> ++ would corelate events from your router, host, or firewall.


I'm not aware of a plugin, others may step forward on that..

However, from /etc/services:

syslog          514/udp


See man syslogd regarding the -r switch for remote logging; I'd be 
inclined to roll my own...

HTH..

- John



> ++ For example: As a Network Security person if I saw a alot
> ++ nimda activity. I would like to know that my router is
> ++ blocking the majority of the traffic. If a user has
> ++ deployed a new application or DNS or MTA, and has not
> ++ recieved approval then I will know about it a week or
> ++ two before instead of Friday at 3:00pm ;-).
> ++ Lastly, you only have eight[0-7] local facilities in syslog.
> ++ With a stealth logger theoretically since I would be
> ++ logging based on ip addresses I could log activity from
> ++ more than eight devices on server in my DMZ, trusted network,
> ++ untrusted network. I hope that clarifies what I am looking
> ++ to do.
> ++
> ++ Respectfully,
> ++ Raymond
> ++ My question is does such a filter exist?
> ++ I have not read my daily digest yet so the answer may
> ++ already be there.
> # output alert_syslog: LOG_AUTH LOG_ALERT
> output alert_syslog: LOG_DAEMON LOG_ALERT
> # as from RELEASE
>
>
> As to "logsnorter", I know not...
>
> HTH..
>
> - John




_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users