Snort mailing list archives
How to log all alerts to pcap file and a selected set to syslog
From: Phil Wood <cpw () lanl gov>
Date: Fri, 12 Jul 2002 16:12:49 -0600
Folks, I've run out of gas. So, I'm assuming that it is something simple I missed. What I want to do is post process most of the alerts (like barnyard I presume, but I'm not there yet) and for a very small few use syslog so I can hear about it immediately. My first cut (without the syslog part) seemed simple: In my conf file: output log_tcpdump: fullpath_to_file However, when I run it the default is to create an alert file. So, next I ran with the switch snort ... -A none ... All is good, I'm getting a libpcap file which I can process later. Now, I want to "alert" but just for a few select rules. Well, -A none has to go. So, what to do? ... I create a "redalert" thusly: ruletype redalert { type alert output alert_syslog: LOG_LOCAL5 LOG_ALERT } I do a gang edit on all the rules files to replace ^alert^log. I create an eleet redalert rule: redalert udp any any -> 192.168.1.1 31337 (msg: "Click Me Doctor Memory"; content: "excuse me for knocking"; classtype: testing; sid:31337;rev:1;) I remove "-A none". and start up snort. Voila! I ran attack.pl in the background, and while it was abusing my snort, I did the following: % echo "excuse me for knocking" | /usr/bin/nc -u 192.168.1.1 31337 Low and behold, packets were accumulating in the libpcap log file, I got a page (cause I have something watching the syslog file), and the "alert" file gratuitously created for me was empty! Beats writing it to /dev/null. I stopped snort and ran a post process snort ... -r tcpdump.log ... with a modified config file (I replace all the log's and redalerts with alert) And, besides the page I got when I sent out the "excuse me" packet, I have a nice little summary of what happened today. ======================================================================= 15:31:24, 579 packets processed at 6.64 pps in 84 seconds, with 0 drops. # Classification summary 8 access to a potentially vulnerable web application:2 1 Your test succeeded:4 # Alert message summary 1 [1:1772:3] WEB-IIS pbserver access 1 [1:31337:1] Click Me Doctor Memory 1 [1:1660:3] WEB-IIS trace.axd access 1 [1:1626:4] WEB-IIS /StoreCSVS/InstantOrder.asmx request 1 [1:1754:2] WEB-IIS as_web4.exe access 1 [1:1756:2] WEB-IIS NewsPro administration authentication attempt 1 [1:1753:2] WEB-IIS as_web.exe access 1 [1:1484:3] WEB-IIS /isapi/tstisapi.dll access 1 [1:1750:3] WEB-IIS users.xml access # Alert destination address and port summary 8 10.10.10.10:80 1 192.168.1.1:31337 ======================================================================== It's great when things come together. Have a nice weekend, see you next week. Phil ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Gadgets, caffeine, t-shirts, fun stuff. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- How to log all alerts to pcap file and a selected set to syslog Phil Wood (Jul 12)