Re: AW: Syslog,MySql, IDS Center /Eagle X

[Ueli Kistler <iuk () gmx ch>]

Yes IDScenter 1.1 RC2 does support Snort 2.0.. but don't set "Include 
ARP packets (-a)" option.. this option was removed.. another problem is 
Syslog support:
workaround when you want to use Syslog:
- Add syslog plugin normally using Output plugins wizard
- Apply
- Go to the Snort configuration file editor panel (Snort.conf).. scroll 
down until you see something like this.. : output syslog: .....
- Change it to: output syslog: host=myhost:myport, ....
- Yes it is a comma not a space ;)

A 100% Snort 2.0 supporting version of IDScenter (.. distance, within, 
byte_jump, byte_test keywords, new inline configuration options.. etc.) 
is already programmed,
but not released yet. Some other new cool features are: SQL queries for 
reports (HTML output, DNS queries are done using a very fast 
multithreaded code (by me .. ;) )).. the SQL queries work even using 
AlertMail, what's new about alertmail, is also that it is a thread, so 
the application is no longer blocked for a while.

More details about SQL queries -> HTML output:
 - Decoding of packet information
   - TCP Flags
   - Payload decoding (format: "encoded payload ASCII=decoded 
payload"): Hex to Ascii, Base64 to Ascii
     - non-printable caracters are replaced by a red `
   - etc... ;)

The Ruleset manager can now sort the rules by clicking on the columns 
(also the classifications can be sorted like this).
I also reviewed some code (bug fixes included).. a Whois lookup is 
available from the internal logviewer.

Another cool feature is the use of Oinkmaster (perl script by Andreas 
Östling)... IDScenter can write the whole configuration file for you and
has also a HTTP client which checks for new rule updates (Details: using 
Last-Modified field for this, minimum interval is 15min.. we don't want 
to slow down www.snort.org)

Concerning Syslog support of Snort: IDScenter 1.1 RC3 (my dev version) 
does support both.. Snort 1.8/1.9 and Snort 2.0 setup of the syslog 
plugin...

Ok.. sorry that it's not yet available ;) .. i just wanted to add 
something else before releasing it..

NOTE: www.packx.net is *no longer* the official site for IDScenter!.. 
The next release is available on www.engagesecurity.com (not online for 
now).

Regards,
   Ueli Kistler
   eclipse () engagesecurity com
   www.engagesecurity.com

--



Freddie Soerensen wrote:

> Ueli
>
> Does the present version of IDSCenter work with Snort 2.0 ?
>
> Freddie
>
>
>  
>
> > -----Ursprüngliche Nachricht-----
> > Von: Ueli Kistler [mailto:iuk () gmx ch] 
> > Gesendet: Montag, 19. Mai 2003 19:26
> > An: McBurnett, Jim
> > Cc: snort-users () lists sourceforge net
> > Betreff: Re: [Snort-users] Syslog,MySql, IDS Center /Eagle X
> >
> >
> > Hello
> >
> > McBurnett, Jim wrote:
> >
> > .. <snip>
> >    
> >
> > > I tried to add Syslog to it and Bingo-- It crashes every 
> > >      
> > time it sends
> >    
> >
> > > a message..
> > > I tried to send to an external syslog.. no go. I tried an 
> > >      
> > on Machine 
> >    
> >
> > > Syslog.
> > > No go.. System has 3 NICS, and I am using the 2nd NIC.
> > >
> > >      
> > Snort 2.0:
> > add an syslog output plugin in the output plugin wizard.. 
> > then click on 
> > apply. Now go to "IDS rules" again, where the Snort 
> > configuration editor 
> > is (Snort.conf).. scroll down until you find "output syslog: .."
> >
> > now change it to something like this:
> >     *   output alert_syslog: LOG_AUTH LOG_ALERT
> >     *   output alert_syslog: host=hostname, LOG_AUTH LOG_ALERT
> >     *   output alert_syslog: host=hostname:port, LOG_AUTH LOG_ALERT
> >
> > - Save
> > - Click on "Apply"
> >
> > (note from chris reid:
> > For Win32, the remote host/port information has been moved into the
> > snort.conf file.  See the "alert_syslog" option in 
> > snort.conf.  The reason
> > for this was to make the command line options more compatible 
> > with the *nix
> > version of snort.)
> >
> > Regards,
> >         Ueli Kistler
> >         eclipse () engagesecurity com
> >         www.engagesecurity.com
> >
> > --
> >
> >
> >
> >
> >
> >
> > -------------------------------------------------------
> > This SF.net email is sponsored by: If flattening out C++ or Java
> > code to make your application fit in a relational database is 
> > painful, 
> > don't do it! Check out ObjectStore. Now part of Progress Software.
> > http://www.objectstore.net/sourceforge
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users () lists sourceforge net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >
> >    
>
>
> -------------------------------------------------------
> This SF.net email is sponsored by: ObjectStore.
> If flattening out C++ or Java code to make your application fit in a
> relational database is painful, don't do it! Check out ObjectStore.
> Now part of Progress Software. http://www.objectstore.net/sourceforge
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=ort-users
>
>
>  




-------------------------------------------------------
This SF.net email is sponsored by: ObjectStore.
If flattening out C++ or Java code to make your application fit in a
relational database is painful, don't do it! Check out ObjectStore.
Now part of Progress Software. http://www.objectstore.net/sourceforge
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users