Snort mailing list archives
Re: can snort decode syslog traffic and feed that traffic into logsnorter
From: John Sage <jsage () finchhaven com>
Date: Mon, 03 Dec 2001 19:06:11 -0800
Raymond:I don't believe this is refering to syslog traffic *within* one box, rather I think the idea is that snort can sniff syslog traffic going from one host to another (if they are set up that way...), or from several hosts to a central logserver...
Does that make any sense? snort can output to syslog on the snort box, here's what I use: # output alert_syslog: LOG_AUTH LOG_ALERT output alert_syslog: LOG_DAEMON LOG_ALERT # as from RELEASE As to "logsnorter", I know not... HTH.. - John Raymond Jacob wrote:
I am a lurker and I appologize in advance. I was looking through my December 2001 Linux Journal and on page 34 there are few paragraphs on setting up a stealth logserver by Lance Spitzner of the honeynet project(www.honeynet.org). He suggests:... It is not necessary for a central logserver... to have an IP address; the logserver passively can sniff the log messages via snort or some other packet sniffer... In addition, to configure each DMZ host's syslog.conf file to log to the bogus IP, you'll also need a bougus ARP entry on each sending host. Question: The above makes sense to me. The only part I was not aware of was snort's ability to capture syslog traffic and output that traffic into a syslog messages file? Has anyone written a plugin, if that is the correct word, to do this already? I would assume that logsnorter would be able to convert the cisco and netfilter denials into snort events. Again, I appologize in advance if this question demonstrates my ignorance. Raymond
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- can snort decode syslog traffic and feed that traffic into logsnorter Raymond Jacob (Dec 03)
- Re: can snort decode syslog traffic and feed that traffic into logsnorter John Sage (Dec 03)
- Re: can snort decode syslog traffic and feed that traffic into logsnorter Jason Haar (Dec 03)
- <Possible follow-ups>
- Re: can snort decode syslog traffic and feed that traffic into logsnorter Raymond Jacob (Dec 04)
- Re: can snort decode syslog traffic and feed that traffic into logsnorter John Sage (Dec 04)