Snort mailing list archives
Re: AW: Syslog,MySql, IDS Center /Eagle X
From: Ueli Kistler <iuk () gmx ch>
Date: Tue, 20 May 2003 11:34:09 +0200
Yes IDScenter 1.1 RC2 does support Snort 2.0.. but don't set "Include ARP packets (-a)" option.. this option was removed.. another problem is Syslog support:
workaround when you want to use Syslog: - Add syslog plugin normally using Output plugins wizard - Apply- Go to the Snort configuration file editor panel (Snort.conf).. scroll down until you see something like this.. : output syslog: .....
- Change it to: output syslog: host=myhost:myport, .... - Yes it is a comma not a space ;)A 100% Snort 2.0 supporting version of IDScenter (.. distance, within, byte_jump, byte_test keywords, new inline configuration options.. etc.) is already programmed, but not released yet. Some other new cool features are: SQL queries for reports (HTML output, DNS queries are done using a very fast multithreaded code (by me .. ;) )).. the SQL queries work even using AlertMail, what's new about alertmail, is also that it is a thread, so the application is no longer blocked for a while.
More details about SQL queries -> HTML output: - Decoding of packet information - TCP Flags- Payload decoding (format: "encoded payload ASCII=decoded payload"): Hex to Ascii, Base64 to Ascii
- non-printable caracters are replaced by a red ` - etc... ;)The Ruleset manager can now sort the rules by clicking on the columns (also the classifications can be sorted like this). I also reviewed some code (bug fixes included).. a Whois lookup is available from the internal logviewer.
Another cool feature is the use of Oinkmaster (perl script by Andreas Östling)... IDScenter can write the whole configuration file for you and has also a HTTP client which checks for new rule updates (Details: using Last-Modified field for this, minimum interval is 15min.. we don't want to slow down www.snort.org)
Concerning Syslog support of Snort: IDScenter 1.1 RC3 (my dev version) does support both.. Snort 1.8/1.9 and Snort 2.0 setup of the syslog plugin...
Ok.. sorry that it's not yet available ;) .. i just wanted to add something else before releasing it..
NOTE: www.packx.net is *no longer* the official site for IDScenter!.. The next release is available on www.engagesecurity.com (not online for now).
Regards, Ueli Kistler eclipse () engagesecurity com www.engagesecurity.com -- Freddie Soerensen wrote:
Ueli Does the present version of IDSCenter work with Snort 2.0 ? Freddie-----Ursprüngliche Nachricht-----Von: Ueli Kistler [mailto:iuk () gmx ch] Gesendet: Montag, 19. Mai 2003 19:26An: McBurnett, Jim Cc: snort-users () lists sourceforge net Betreff: Re: [Snort-users] Syslog,MySql, IDS Center /Eagle X Hello McBurnett, Jim wrote: .. <snip>I tried to add Syslog to it and Bingo-- It crashes everytime it sendson Machinea message..I tried to send to an external syslog.. no go. I tried anSyslog. No go.. System has 3 NICS, and I am using the 2nd NIC.Snort 2.0:add an syslog output plugin in the output plugin wizard.. then click on apply. Now go to "IDS rules" again, where the Snort configuration editor is (Snort.conf).. scroll down until you find "output syslog: .."now change it to something like this: * output alert_syslog: LOG_AUTH LOG_ALERT * output alert_syslog: host=hostname, LOG_AUTH LOG_ALERT * output alert_syslog: host=hostname:port, LOG_AUTH LOG_ALERT - Save - Click on "Apply" (note from chris reid: For Win32, the remote host/port information has been moved into thesnort.conf file. See the "alert_syslog" option in snort.conf. The reason for this was to make the command line options more compatible with the *nixversion of snort.) Regards, Ueli Kistler eclipse () engagesecurity com www.engagesecurity.com -- ------------------------------------------------------- This SF.net email is sponsored by: If flattening out C++ or Javacode to make your application fit in a relational database is painful, don't do it! Check out ObjectStore. Now part of Progress Software.http://www.objectstore.net/sourceforge _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users------------------------------------------------------- This SF.net email is sponsored by: ObjectStore. If flattening out C++ or Java code to make your application fit in a relational database is painful, don't do it! Check out ObjectStore. Now part of Progress Software. http://www.objectstore.net/sourceforge _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=ort-users
------------------------------------------------------- This SF.net email is sponsored by: ObjectStore. If flattening out C++ or Java code to make your application fit in a relational database is painful, don't do it! Check out ObjectStore. Now part of Progress Software. http://www.objectstore.net/sourceforge _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- AW: Syslog,MySql, IDS Center /Eagle X Freddie Soerensen (May 20)
- Re: AW: Syslog,MySql, IDS Center /Eagle X Ueli Kistler (May 20)