Snort mailing list archives

RE: same tcpdump.log to remote log server instead oflocal sensor

From: "samwun" <samwun () hgcbroadband com>
Date: Wed, 28 Jan 2004 18:33:38 +0800

The following config in snort.conf forced the ascii logging (with
payload) data files to log to an IP directory:

output log_ascii: filename snort.log, limit 128

What is your configuration in snort.conf?
Can you tell me how to configure snort send payload data to your email
account?

Thanks
Sam


-----Original Message-----
From: Frank Knobbe [mailto:frank () knobbe us] 
Sent: Wednesday, January 28, 2004 5:42 PM
To: samwun
Cc: snort-users () lists sourceforge net
Subject: Re: [Snort-users] same tcpdump.log to remote log server instead
oflocal sensor

On Tue, 2004-01-27 at 23:14, samwun wrote:

The snort sensor save tcpdump.log files to local sensor directory. As
tcpdump.log files that generated by snort contains payload information
for in-depth analysis, it is best for snort generate these tcpdump.log
files to a remote syslog server in near real-time mode.


Full ASCII dump or full packet dump into a database happens in real-time
mode and is useful for in-depth analysis. I'm not sure why you need
tcpdump format in particular. (I get emails and IRC notifications every
couple minutes, emails with full ASCII dump).

However, the question:

Does anyone know how to generate these tcpdump.log files from snort in
a remote server in the near real-time mode?

can be answered with "not yet". I'm planning to write a modification to
Snort that allows remote transfers of data for output through any output
plugin, including tcpdump. (I started planning last year Feb but had to
shelve the project due to time constraints. I should be able to pick up
on it later this spring). Stay tuned to snort-users for an announcement
later this year.

Regards,
Frank




-------------------------------------------------------
The SF.Net email is sponsored by EclipseCon 2004
Premiere Conference on Open Tools Development and Integration
See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
http://www.eclipsecon.org/osdn
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

snort 2.1.0 bugs ? Koay Yee Chen (Jan 27)
- same tcpdump.log to remote log server instead of local sensor samwun (Jan 27)
  - Re: same tcpdump.log to remote log server instead of local sensor Frank Knobbe (Jan 28)
    - RE: same tcpdump.log to remote log server instead oflocal sensor samwun (Jan 28)
    - RE: same tcpdump.log to remote log server instead oflocal sensor samwun (Jan 28)
    - RE: same tcpdump.log to remote log server instead oflocal sensor Frank Knobbe (Jan 30)
- <Possible follow-ups>
- snort 2.1.0 bugs ? Koay Yee Chen (Jan 27)