Re: Snort and Syslog

[Jeremy Hoel <jthoel () gmail com>]

OSSEC has many rules, you can tweak them.  It's not a False Positive.. it
is something you might want to know, if you have no other tools telling you
the data.


On Thu, Apr 4, 2013 at 5:38 PM, waldo kitty <wkitty42 () windstream net> wrote:

> On 4/4/2013 10:45, Josh Bitto wrote:
> > Your probably better off asking this question in rsyslog's mail group.
> I've gotten a lot of help from them.
>
> or even better, report it to OSSEC so it can be fixed and not have the
> problems
> any more... one has to wonder what all the other OSSEC using sites do
> since this
> info is always posted... i just checked a live snort 2.8.something
> installation
> and it posts this info, too... i know there are folks using OSSEC who used
> to
> run snort 2.8...
>
> > -----Original Message-----
> > From: Phil Daws [mailto:uxbod () splatnix net]
> > Sent: Thursday, April 04, 2013 5:24 AM
> > To: snort-users () lists sourceforge net
> > Subject: [Snort-users] Snort and Syslog
> >
> > Hi,
> >
> > When Snort starts it writes specific information to /var/log/messages eg.
> >
> > Apr  4 12:01:40 fw1 snort[2951]: [ Port Based Pattern Matching Memory ]
> Apr  4 12:01:40 fw1 snort[2951]: +- [ Aho-Corasick Summary ]
> -------------------------------------
> > Apr  4 12:01:40 fw1 snort[2951]: | Storage Format    : Full-Q
> > Apr  4 12:01:40 fw1 snort[2951]: | Finite Automaton  : DFA
> > Apr  4 12:01:40 fw1 snort[2951]: | Alphabet Size     : 256 Chars
> > Apr  4 12:01:40 fw1 snort[2951]: | Sizeof State      : Variable (1,2,4
> bytes)
> > Apr  4 12:01:40 fw1 snort[2951]: | Instances         : 294
> > Apr  4 12:01:40 fw1 snort[2951]: |     1 byte states : 275
> > Apr  4 12:01:40 fw1 snort[2951]: |     2 byte states : 19
> > Apr  4 12:01:40 fw1 snort[2951]: |     4 byte states : 0
> > Apr  4 12:01:40 fw1 snort[2951]: | Characters        : 249637
> >
> > How can I redirect those messages to a separate file as it plays havoc
> with OSSEC :) I have tried adding snort.none to rsyslog.conf for
> /var/log/messages and then added snort.* to direct too another file. That
> did not work :(
> > Any thoughts please ?
>
>
>
>
> ------------------------------------------------------------------------------
> Minimize network downtime and maximize team effectiveness.
> Reduce network management and security costs.Learn how to hire
> the most talented Cisco Certified professionals. Visit the
> Employer Resources Portal
> http://www.cisco.com/web/learning/employer_resources/index.html
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
------------------------------------------------------------------------------
Minimize network downtime and maximize team effectiveness.
Reduce network management and security costs.Learn how to hire 
the most talented Cisco Certified professionals. Visit the 
Employer Resources Portal
http://www.cisco.com/web/learning/employer_resources/index.html

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!