RE: Question about alerts and Windows environment

["L. Christopher Luther" <CLuther () Xybernaut com>]

I searched the source code, and it appears that whenever the interface name
is output as part of the logging process, only element zero (0) of the
pv.interfaces[] array is used for the output.  

So, I went ahead and implemented the '-I' command line parameter, and last
night I got the following alert from my WinNT4 Snort 1.8.6 sensor:  

01/09/03-17:32:08.701223  [**] [1:1243:6]  <\Device\Packet_E100B1> WEB-IIS
ISAPI .ida attempt [**] [Classification: Web Application Attack] [Priority:
1] {TCP} 204.27.90.35:4753 -> xxx.xxx.xxx.xxx:80

As you can see, the interface name is being displayed properly.  


Christopher


-----Original Message-----
From: L. Christopher Luther 
Sent: Thursday, January 09, 2003 3:19 PM
To: 'Mark Scott'
Cc: 'Snort-Users (E-mail)'
Subject: RE: [Snort-users] Question about alerts and Windows environment
Sensitivity: Confidential


I tweaked the OpenPCap() function (snort.c) and added the PRINT_INTERFACE
macro as a wrapper around the pv.interfaces[num] var, and now the
"Initializing ..." message displays the interface name correctly.  

It's possible that somewhere else in the code the pv.interfaces[num] var is
being output w/o the PRINT_MACRO, which may explain the solo '/' in your
'-I' output.  

Christopher 


-----Original Message-----
From: L. Christopher Luther 
Sent: Thursday, January 09, 2003 2:20 PM
To: 'Mark Scott'
Cc: Snort-Users (E-mail)
Subject: RE: [Snort-users] Question about alerts and Windows environment
Sensitivity: Confidential


I looked at the 1.8.6 source code, and it appears that '-I' parameter does
properly format the interface name for output in syslog, "alert fast", and
"alert full".  But of course, I've not actually tried to use this parameter.


I did notice that when both of my sensors start up, the text "Initializing
Network Interface \" is displayed, which comes from the source:  

    LogMessage("\nInitializing Network Interface %s\n", pv.interfaces[num]);

in OpenPCap() function (snort.c).  But further on in my Snort startup
output, the text "Decoding Ethernet on interface
\Device\Packet_{C4F961EB-4DD5-47F8-98E2-5FDE544E8621}" is displayed, which
comes from the source:  

    LogMessage("Decoding Ethernet on interface %s\n",
PRINT_INTERFACE(pv.interfaces[num]));

In the SetPktProcessor() function (snort.c).  It may be that the
"Initializing ..." message needs the PRINT_INTERFACE macro placed on it.  

When I get a chance I'll play w/ the source code to see what happens.  

- Christopher 


-----Original Message-----
From: Mark Scott [mailto:mscott () mtgroup com]
Sent: Thursday, January 09, 2003 1:23 PM
To: 'L. Christopher Luther'
Subject: RE: [Snort-users] Question about alerts and Windows environment
Sensitivity: Confidential


Thanks...

Can you get the -I (uppercase i) to display the interface name. I have it
turned on but it logs nothing but a '/' in this field.

Mark

-----Original Message-----
From: L. Christopher Luther [mailto:CLuther () Xybernaut com] 
Sent: Thursday, January 09, 2003 12:16 PM
To: 'Don Weber'
Cc: 'Mark Scott'; Snort-Users (E-mail)
Subject: RE: [Snort-users] Question about alerts and Windows environment
Sensitivity: Confidential


I just tweaked the snort.c file so that the '-s ipaddress' command line
parameter would not disable any output plugins specified in the snort.conf
file.  I now use *both* the '-s ipaddress' command line parameter and
'output alert_syslog: ...' option in snort.conf, and now Snort is properly
sending syslog alerts to my syslog daemon on another Win32 server.  

Christopher 

(BTW, I'm currently using Kiwi's syslog daemon service, but may switch to
3COM's syslog daemon service) 


-----Original Message----- 
From: Don Weber [mailto:Don () WeberOnTheWeb com] 
Sent: Thursday, January 09, 2003 1:07 PM 
To: L. Christopher Luther; 'Mark Scott' 
Cc: Snort-Users (E-mail) 
Subject: RE: [Snort-users] Question about alerts and Windows environment 
Sensitivity: Confidential 


well there is backlog, that forwards windows event logs to a remote or local
syslog server, get that at kiwi i think, windows event log generates lots of
entires in the syslog tho.

-----Original Message----- 
From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net]On Behalf Of L. Christopher
Luther
Sent: Wednesday, January 08, 2003 10:27 AM 
To: 'Mark Scott' 
Cc: Snort-Users (E-mail) 
Subject: RE: [Snort-users] Question about alerts and Windows environment 
Sensitivity: Confidential 


At least with both Snort 1.8.6 and 1.8.7 for Win32, the '-A' option does
work (at least w/ the binaries I obtained from the snort.org web site).  

When I first started using Snort, I used only the "-A fast" or "-A full"
command line parameters to generate alert information to the alert.ids file
in my log directory.  The command line was something like:  

    snort.exe -c "D:\BIN\Snort\snort.conf" -l "D:\BIN\Snort\log" -A fast -h
10.0.1.0/24 -i 1 -y 

I also use IDScenter to monitor the alert.ids file and generate e-mail
messages when alerts occur.  
I've recently switched to using MySQL as the repository for the Snort log
information.  My command line is now like:  

    snort.exe -c "D:\BIN\Snort\snort.conf" -l "D:\BIN\Snort\log" -h
10.0.1.0/24 -i 1 -y  

That is, no more '-A fast', and my snort.conf file now also has three output
plugins:  

    output alert_fast: alert.ids  
    output alert_syslog: LOG_AUTHPRIV LOG_ALERT  
    output database: log, mysql,  [snip]  

I still get the alert information logged to alert.ids (for use by
IDScenter), and I also noticed that, at least with Snort 1.8.6 for Win32,
the "alert_syslog" plugin generates output to my local Application Event
Log.  


Hope this helps,  

Christopher 


-----Original Message----- 
From: Mark Scott [mailto:mscott () mtgroup com] 
Sent: Tuesday, January 07, 2003 9:29 PM 
To: 'L. Christopher Luther' 
Subject: RE: [Snort-users] Question about alerts and Windows environment 


Hi Christopher, 

Thanks for the reply, my understanding is that with the Win32 port of snort
the -A option does not work. I did try that and to no avail.

Mark 
-----Original Message----- 
From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net] On Behalf Of L. Christopher
Luther
Sent: Tuesday, January 07, 2003 1:45 PM 
To: 'Mark Scott' 
Cc: 'snort-users () lists sourceforge net' 
Subject: RE: [Snort-users] Question about alerts and Windows environment 


Mark,  

Are you using an alert output plugin in the snort.conf file?  If so, then
yes, '-E' will disable this alert output.  

Instead, specify an alert output via the command line (e.g., '-A fast', '-A
full', etc.) or, as I just found out (the hard way), the 'output
alert_syslog ...' plug-in under Win32 (at least for Snort 1.8.6) sends its
output to the Application Event log.  You could always try this and drop the
'-E' command line parameter.  

Christopher 


-----Original Message----- 
Date: Mon,  6 Jan 2003 09:34:37 -0600 
From: "Mark  Scott" <Mark.Scott () mtgroup com> 
Reply-To: <Mark.Scott () mtgroup com> 
To: <snort-users () lists sourceforge net.> 
Subject: [Snort-users] Question about alerts and Windows environment 

Hi, 

I am testing Snort on Windows XP and would like to be able to log alerts to
the alerts file in my log directory and also in my Windows event log. Is it
possible to do this? I am using the snort command line '-E' which sends it
to the event log, but it stops loggin to the alert file.

Thanks for any insight, 

Mark