Snort mailing list archives
Re: can snort decode syslog traffic and feed that traffic into logsnorter
From: John Sage <jsage () finchhaven com>
Date: Tue, 04 Dec 2001 08:34:58 -0800
Raymond: Raymond Jacob wrote:
From: John Sage <jsage () adsfasdf com> CC: snort-users () lists sourceforge netSubject: Re: [Snort-users] can snort decode syslog traffic and feed that traffic into logsnorterDate: Mon, 03 Dec 2001 19:06:11 -0800 Raymond: I don't believe this is refering to syslog traffic *within* one box, rather I think the idea is that snort can sniff syslog traffic going from one host to another (if they are set up that way...), or from several hosts to a central logserver... ++ That was my understanding too. I am sorry that was ++ not clear in my email.
Just wanted to make sure *I* knew what you were talking about ;-)
Does that make any sense? ++ Yes that does. snort can output to syslog on the snort box, here's what I use: ++ I must not have been very clear in my original email. ++ So I will try again. As the article I mentioned says: ++ you can use a packet capture tool to do stealth logging ++ of syslog messages sent from a host or a router. ++ I thought in order to do this there would exist a ++ filter that could capture the syslog traffic from the ++ the network and output that traffic to a log file that ++ logsnorter could use as input to an ids console that ++ would corelate events from your router, host, or firewall.
I'm not aware of a plugin, others may step forward on that.. However, from /etc/services: syslog 514/udpSee man syslogd regarding the -r switch for remote logging; I'd be inclined to roll my own...
HTH.. - John
++ For example: As a Network Security person if I saw a alot ++ nimda activity. I would like to know that my router is ++ blocking the majority of the traffic. If a user has ++ deployed a new application or DNS or MTA, and has not ++ recieved approval then I will know about it a week or ++ two before instead of Friday at 3:00pm ;-). ++ Lastly, you only have eight[0-7] local facilities in syslog. ++ With a stealth logger theoretically since I would be ++ logging based on ip addresses I could log activity from ++ more than eight devices on server in my DMZ, trusted network, ++ untrusted network. I hope that clarifies what I am looking ++ to do. ++ ++ Respectfully, ++ Raymond ++ My question is does such a filter exist? ++ I have not read my daily digest yet so the answer may ++ already be there. # output alert_syslog: LOG_AUTH LOG_ALERT output alert_syslog: LOG_DAEMON LOG_ALERT # as from RELEASE As to "logsnorter", I know not... HTH.. - John
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- can snort decode syslog traffic and feed that traffic into logsnorter Raymond Jacob (Dec 03)
- Re: can snort decode syslog traffic and feed that traffic into logsnorter John Sage (Dec 03)
- Re: can snort decode syslog traffic and feed that traffic into logsnorter Jason Haar (Dec 03)
- <Possible follow-ups>
- Re: can snort decode syslog traffic and feed that traffic into logsnorter Raymond Jacob (Dec 04)
- Re: can snort decode syslog traffic and feed that traffic into logsnorter John Sage (Dec 04)