How to log all alerts to pcap file and a selected set to syslog

[Phil Wood <cpw () lanl gov>]

Folks,

I've run out of gas.  So, I'm assuming that it is something simple I missed.
What I want to do is post process most of the alerts (like barnyard I
presume, but I'm not there yet) and for a very small few use syslog so
I can hear about it immediately.  My first cut (without the syslog part)
seemed simple:

  In my conf file:

    output log_tcpdump: fullpath_to_file

However, when I run it the default is to create an alert file.

So, next I ran with the switch

    snort ... -A none ...

All is good, I'm getting a libpcap file which I can process later.

Now, I want to "alert" but just for a few select rules.  Well, -A none has
to go.  So, what to do? ...

I create a "redalert" thusly:

    ruletype redalert
    {
      type alert
      output alert_syslog: LOG_LOCAL5 LOG_ALERT
    }

I do a gang edit on all the rules files to replace ^alert^log.

I create an eleet redalert rule:

    redalert udp any any -> 192.168.1.1 31337 (msg: "Click Me Doctor Memory"; content: "excuse me for knocking"; 
classtype: testing; sid:31337;rev:1;)

I remove "-A none".

and start up snort.

    Voila!

I ran attack.pl in the background, and while it was abusing my snort, I
did the following:

  % echo "excuse me for knocking" | /usr/bin/nc -u 192.168.1.1 31337

Low and behold, packets were accumulating in the libpcap log file, I
got a page (cause I have something watching the syslog file), and the
"alert" file gratuitously created for me was empty!  Beats writing it
to /dev/null.

I stopped snort and ran a post process snort ... -r tcpdump.log ...
with a modified config file (I replace all the log's and redalerts with
alert)

And, besides the page I got when I sent out the "excuse me" packet, I
have a nice little summary of what happened today.

=======================================================================
15:31:24, 579 packets processed at 6.64 pps in 84 seconds, with 0 drops.

# Classification summary

8       access to a potentially vulnerable web application:2
1       Your test succeeded:4

# Alert message summary

1       [1:1772:3] WEB-IIS pbserver access
1       [1:31337:1] Click Me Doctor Memory
1       [1:1660:3] WEB-IIS trace.axd access
1       [1:1626:4] WEB-IIS /StoreCSVS/InstantOrder.asmx request
1       [1:1754:2] WEB-IIS as_web4.exe access
1       [1:1756:2] WEB-IIS NewsPro administration authentication attempt
1       [1:1753:2] WEB-IIS as_web.exe access
1       [1:1484:3] WEB-IIS /isapi/tstisapi.dll access
1       [1:1750:3] WEB-IIS users.xml access

# Alert destination address and port summary

8       10.10.10.10:80
1       192.168.1.1:31337
========================================================================

It's great when things come together.

Have a nice weekend, see you next week.

Phil


-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Gadgets, caffeine, t-shirts, fun stuff.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users