RE: Question about alerts and Windows environment

["Don Weber" <Don () WeberOnTheWeb com>]

RE: [Snort-users] Question about alerts and Windows environmentwell there is
backlog, that forwards windows event logs to a remote or local syslog
server, get that at kiwi i think, windows event log generates lots of
entires in the syslog tho.
  -----Original Message-----
  From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net]On Behalf Of L. Christopher
Luther
  Sent: Wednesday, January 08, 2003 10:27 AM
  To: 'Mark Scott'
  Cc: Snort-Users (E-mail)
  Subject: RE: [Snort-users] Question about alerts and Windows environment
  Sensitivity: Confidential


  At least with both Snort 1.8.6 and 1.8.7 for Win32, the '-A' option does
work (at least w/ the binaries I obtained from the snort.org web site).

  When I first started using Snort, I used only the "-A fast" or "-A full"
command line parameters to generate alert information to the alert.ids file
in my log directory.  The command line was something like:

      snort.exe -c "D:\BIN\Snort\snort.conf" -l "D:\BIN\Snort\log" -A
fast -h 10.0.1.0/24 -i 1 -y

  I also use IDScenter to monitor the alert.ids file and generate e-mail
messages when alerts occur.

  I've recently switched to using MySQL as the repository for the Snort log
information.  My command line is now like:

      snort.exe -c "D:\BIN\Snort\snort.conf" -l "D:\BIN\Snort\log" -h
10.0.1.0/24 -i 1 -y

  That is, no more '-A fast', and my snort.conf file now also has three
output plugins:

      output alert_fast: alert.ids
      output alert_syslog: LOG_AUTHPRIV LOG_ALERT
      output database: log, mysql,  [snip]

  I still get the alert information logged to alert.ids (for use by
IDScenter), and I also noticed that, at least with Snort 1.8.6 for Win32,
the "alert_syslog" plugin generates output to my local Application Event
Log.



  Hope this helps,

  Christopher



  -----Original Message-----
  From: Mark Scott [mailto:mscott () mtgroup com]
  Sent: Tuesday, January 07, 2003 9:29 PM
  To: 'L. Christopher Luther'
  Subject: RE: [Snort-users] Question about alerts and Windows environment



  Hi Christopher,

  Thanks for the reply, my understanding is that with the Win32 port of
snort the -A option does not work. I did try that and to no avail.

  Mark

  -----Original Message-----
  From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net] On Behalf Of L. Christopher
Luther

  Sent: Tuesday, January 07, 2003 1:45 PM
  To: 'Mark Scott'
  Cc: 'snort-users () lists sourceforge net'
  Subject: RE: [Snort-users] Question about alerts and Windows environment



  Mark,

  Are you using an alert output plugin in the snort.conf file?  If so, then
yes, '-E' will disable this alert output.

  Instead, specify an alert output via the command line (e.g., '-A fast',
'-A full', etc.) or, as I just found out (the hard way), the 'output
alert_syslog ...' plug-in under Win32 (at least for Snort 1.8.6) sends its
output to the Application Event log.  You could always try this and drop the
'-E' command line parameter.

  Christopher



  -----Original Message-----
  Date: Mon,  6 Jan 2003 09:34:37 -0600
  From: "Mark  Scott" <Mark.Scott () mtgroup com>
  Reply-To: <Mark.Scott () mtgroup com>
  To: <snort-users () lists sourceforge net.>
  Subject: [Snort-users] Question about alerts and Windows environment

  Hi,

  I am testing Snort on Windows XP and would like to be able to log alerts
to the alerts file in my log directory and also in my Windows event log. Is
it possible to do this? I am using the snort command line '-E' which sends
it to the event log, but it stops loggin to the alert file.

  Thanks for any insight,

  Mark