Re: can snort decode syslog traffic and feed that traffic into logsnorter

[John Sage <jsage () finchhaven com>]

Raymond:

I don't believe this is refering to syslog traffic *within* one box, 
rather I think the idea is that snort can sniff syslog traffic going 
from one host to another (if they are set up that way...), or from 
several hosts to a central logserver...

Does that make any sense?

snort can output to syslog on the snort box, here's what I use:

# output alert_syslog: LOG_AUTH LOG_ALERT
output alert_syslog: LOG_DAEMON LOG_ALERT
# as from RELEASE


As to "logsnorter", I know not...

HTH..

- John

Raymond Jacob wrote:

> I am a lurker and I appologize in advance.
> I was looking through my December 2001
> Linux Journal and on page 34 there
> are few paragraphs on setting up
> a stealth logserver by Lance Spitzner
> of the honeynet project(www.honeynet.org).
> He suggests:...
>  It is not necessary for a central
>  logserver... to have an IP address;
>  the logserver passively can sniff
>  the log messages via snort or
>  some other packet sniffer...
>  In addition, to configure each
>  DMZ host's syslog.conf file to
>  log to the bogus IP, you'll also
>  need a bougus ARP entry on each
>  sending host.
>
> Question: The above makes sense to me.
> The only part I was not aware of was
> snort's ability to capture syslog
> traffic and output that traffic
> into a syslog messages file? Has
> anyone written a plugin, if that
> is the correct word, to do this
> already? I would assume that
> logsnorter would be able to
> convert the cisco and netfilter denials
> into snort events.
>
> Again, I appologize in advance if this
> question demonstrates my ignorance.
> Raymond




_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users