Snort mailing list archives
RE: Snort-users digest, Vol 1 #1962 - 13 msgs
From: "Jessup, Justin" <Justin.Jessup () usdoj gov>
Date: Wed, 12 Jun 2002 19:50:26 -0400
answer to #1 go to vi snort.conf go to the output data section where you input username= password= host= # add sensor_name=falcon you need to assign a sensor name add sensor_name=condor #or whatever you want your sensor to be named also make sure your database permissions allow your user=snort to connect as either the IP address of the remote mysql server or if mysql server is localhost make sure the database permissions are allow user=snort to have full control rwx to the snort_log database or whatever you named your databases respectfully, justin jessup -----Original Message----- From: /DDV=snort-users-request () lists sourceforge net/DDT=RFC-822/O=INETGW/P=GO V+DOJ/A=TELEMAIL/C=US/ [mailto:/DDV=snort-users-request () lists sourceforge net/DDT=RFC-822/O=INE TGW/P=GOV+DOJ/A=TELEMAIL/C=US/] Sent: Wednesday, June 12, 2002 7:11 PM To: snort-users () lists sourceforge net Subject: Snort-users digest, Vol 1 #1962 - 13 msgs Importance: Low Send Snort-users mailing list submissions to snort-users () lists sourceforge net To subscribe or unsubscribe via the World Wide Web, visit https://lists.sourceforge.net/lists/listinfo/snort-users or, via email, send a message with subject or body 'help' to snort-users-request () lists sourceforge net You can reach the person managing the list at snort-users-admin () lists sourceforge net When replying, please edit your Subject line so it is more specific than "Re: Contents of Snort-users digest..." Today's Topics: 1. Re: snort with mysql and acid (roman () danyliw com) 2. (no subject) (Richard Houston) 3. Re: Detecting concurrent connections (matt) 4. Re: (no subject) (Erek Adams) 5. Configuration HELP! (Jason Martin) 6. Dies (Bravard, Paul) 7. Re: Configuration HELP! (understanding alerts and proxies) (matt) 8. : [Snort-users] Configuration HELP! (understanding alerts and pro xies) (Jason Martin) 9. Re: : [Snort-users] Configuration HELP! (understanding alerts and proxies) (Matt Kettler) 10. RE: Syslog on W2K (Michael Steele) --__--__-- Message: 1 To: C White <cwhite () theatomicmoose ca> Cc: snort-users () lists sourceforge net From: roman () danyliw com Subject: Re: [Snort-users] snort with mysql and acid Date: Wed, 12 Jun 2002 15:10:07 EDT Take a look at the suggestions in Question #B1 of the database FAQ: http://www.andrew.cmu.edu/~rdanyliw/snort/snortdb/snortdb_faq.html Roman
i have snort up and running, however i want it to log to a mysql db, it looks like i've configured everything properly, the database plugin has been configured, and it still insists on logging everything to a text file when i run snort from the console everything appears fine except for the fact that it is logging to a text file this is what i get when i run it on the console database: compiled support for ( mysql ) database: configured to use mysql database: user = snort database: password is set database: database name = snort database: host = database: sensor name = database: sensor id = 1 database: schema version = 105 database: using the "log" facility am i missing something in the snort.conf file any help will be greatly appreciated many thanks _______________________________________________________________ Sponsored by: ThinkGeek at http://www.ThinkGeek.com/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
--------------------------------------------- This message was sent using Voicenet WebMail. http://www.voicenet.com/webmail/ --__--__-- Message: 2 Date: Wed, 12 Jun 2002 13:27:03 +0500 (CDT) From: "Richard Houston" <rhouston () rlhc net> To: <snort-users () lists sourceforge net> Subject: [Snort-users] (no subject) Hello all, I need some help with setting up snort as a NIDS. I have version 1.8.3 installed on a RH 6.2 machine attached to 2 stacked 3com hubs. If I port scan the snort host I get lots of log messages related to the port scan, I all so use typhon to scan the snort host with a selection of exploits Scan and all seems fine. I have all messages going to syslog. Now here is the issue. If I scan a host other than the snort host, snort does not log anything. Here is the command I used to start snort. /usr/sbin/snort -dev -h 10.1.1.0/24 -l /var/log/snort -d -D -i eth0 -c /etc/snort/snort.conf Here is the out put of ifconfig: eth0 Link encap:Ethernet HWaddr 00:60:97:AE:0C:05 inet addr:10.1.1.2 Bcast:10.1.1.255 Mask:255.255.255.0 UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1 RX packets:19415209 errors:248 dropped:0 overruns:0 frame:248 TX packets:439766 errors:0 dropped:0 overruns:0 carrier:0 collisions:19226 txqueuelen:100 Interrupt:10 Base address:0x300 Any help would be greatly appreciated. -- Thanks in advance Rich ----------------------------------------- This email was sent using SquirrelMail. "Webmail for nuts!" http://squirrelmail.org/ --__--__-- Message: 3 Date: Wed, 12 Jun 2002 15:43:02 -0400 To: Renato =?iso-8859-1?Q?Ara=FAjo?= <renato () escelsa com br>, snort-users () lists sourceforge net From: matt <mkettler () evi-inc com> Subject: Re: [Snort-users] Detecting concurrent connections Agreed, snort is not stateful in this respect. Currently I'd see that this is the kind of thing that really has 2=20 solutions outside of using snort: 1) I'd suspect that it is possible for some stateful firewalls to implement= =20 connect rate limiting (since they have to track connection states anyway).= =20 This would really only slow them down unless it had some kind of "if they=20 try to exceed this threshold, shun that IP for an extended period of time" 2) It might be possible to set up some kind of perl-script log watcher that= =20 looks for a large number of "user unknown" errors being generated from the= =20 same originating IP and just add that IP to your /etc/mail/access file (or= =20 whatever similar blocking file your mailserver uses). Simultaneous state and time based analysis isn't really much the domain of= =20 the current version of snort, which is really looking for intrusion=20 signatures, portscans (large number of different ports over time), and=20 anomolous syn packets. There are some stateful aspects, and some time=20 aspects, but none that analyze state and time currently. There's been some talk in the past of modifying spp_portscan to create a=20 spp_synflood (looking for a large number of syn connections to the same=20 port in a given time window), but this doesn't really determine how many of= =20 these connections are concurrent. Dig in the archives, someone once posted= =20 a small patch to get that effect. At 12:03 PM 6/12/2002 -0300, Renato Ara=FAjo wrote:
I want to configure snort rule to detect if there is a a number of concurrent conections to a server. Example, I want snort to detect if anyone has 15 or more conections simultaneously established to my smtp server. Anyone knows if this is possible. I need this because someone used a program that send tons of emails to my server to discover valid emails. I solved the problem by blocking the IP with iptables, but I'm looking for a automated solution. Atenciosamente (sincerely), Renato Ara=FAjo --------------------------------------------- Unix _IS_ user friendly - it`s just selective about who its friends are ! _______________________________________________________________ Sponsored by: ThinkGeek at http://www.ThinkGeek.com/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=3Dsnort-users
--__--__-- Message: 4 Date: Wed, 12 Jun 2002 13:01:27 -0700 (PDT) From: Erek Adams <erek () theadamsfamily net> To: Richard Houston <rhouston () rlhc net> cc: snort-users () lists sourceforge net Subject: Re: [Snort-users] (no subject) On Wed, 12 Jun 2002, Richard Houston wrote:
I need some help with setting up snort as a NIDS. I have version 1.8.3 installed on a RH 6.2 machine attached to 2 stacked
Consider upgrading. 1.8.6 is the most current, with 1.8.7beta6 in the works. There are lots of little 'gotchas' that were fixed in the 1.8.x line.
3com hubs. If I port scan the snort host I get lots of log messages related to the port scan, I all so use typhon to scan the snort host with a selection of exploits Scan and all seems fine. I have all messages going to syslog. Now here is the issue. If I scan a host other than the snort host, snort does not log anything.
Yep. Sounds just like: http://www.snort.org/docs/faq.html#6.21
Here is the command I used to start snort. /usr/sbin/snort -dev -h 10.1.1.0/24 -l /var/log/snort -d -D -i eth0 -c /etc/snort/snort.conf
If you're running snort as a daemon, then you don't need '-d, -v, -e, and -d'. -ved tells snort to write to STDOUT and to decode the packts on the fly. -D uncouples snort from STDOUT, but due to the other switches, snort is still trying to decode and print those things--wasting CPU. [...snip...] You might also want to check what $HOME_NET and $EXTERNAL_NET are set to. I would suggest: var HOME_NET 10.1.1.0/24 var EXTERNAL_NET !$HOME_NET as a starting point--If they aren't like that already. Oh, and try to give us a subject line next time. Somefolks sort email based on subjects.... And that's the common subject sent to /dev/null. ;-) Cheers! ----- Erek Adams Nifty-Type-Guy TheAdamsFamily.Net --__--__-- Message: 5 From: Jason Martin <jmartin () hhsc org> To: snort-users () lists sourceforge net Date: Wed, 12 Jun 2002 10:18:25 -1000 Subject: [Snort-users] Configuration HELP! Hello: Configuration: Snort WIN32 1.8 port on a Win2k Pro. Running snort from the command line: Snort -dev -c snort.conf Below is a snippet of my config file. I tried to set my variables so that only my PC would be considered "home" and snort would treat all other packets as being external. However, Snort is not logging IDS alerts except for activity from my machine (var HOME_NET). If I scan Snort machine from a test machine it detects nothing. As soon as I scan the test machine with my Snort machine, Snort lights up. To alleviate this problem I placed my IP address in the preprocessor portscan-ignorehosts section, that didn't work either. It is still alarming off of traffic sent from my PC. I must have mis-configured something and was hoping someone could shed some light on the situation. I've also noticed that any trigger events that do happen to be logged, all show traffic flow coming from my machine. **] [1:615:3] SCAN SOCKS Proxy attempt [**] [Classification: Attempted Information Leak] [Priority: 2] 06/10-11:40:24.538093 x.x.x.243:1282 -> x.x.x.77:1080 TCP TTL:128 TOS:0x0 ID:22013 IpLen:20 DgmLen:48 DF ******S* Seq: 0xDA7C045C Ack: 0x0 Win: 0x4000 TcpLen: 28 TCP Options (4) => MSS: 1460 NOP NOP SackOK [Xref => http://help.undernet.org/proxyscan/ <http://help.undernet.org/proxyscan/> ] The x.x.x.77 machine is the machine that was scanning me, but the traffic flow shows my machine responding to the proxy scan, it did not create an event showing a scan coming from the scanning machine. When I look at this, it makes me think I was scanning x.x.x.77. Or, am I just misunderstanding the log? Thanks in advance for any help. ~Jason =========================== var HOME_NET x.x.x.243/32 var EXTERNAL_NET any var SMTP $HOME_NET var HTTP_SERVERS $HOME_NET var SQL_SERVERS $HOME_NET var DNS_SERVERS $HOME_NET var RULE_PATH /rules preprocessor frag2 preprocessor stream4: detect_scans preprocessor stream4_reassemble preprocessor http_decode: 80 -unicode -cginull preprocessor rpc_decode: 111 32771 preprocessor bo: -nobrute preprocessor telnet_decode preprocessor portscan: $EXTERNAL_NET 2 1 portscan.log preprocessor portscan-ignorehosts: $HOME_NET Confidentiality Notice: This email message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure, or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. --__--__-- Message: 6 From: "Bravard, Paul" <PBravard () reillyind com> To: snort-users () lists sourceforge net Date: Wed, 12 Jun 2002 15:38:40 -0500 Subject: [Snort-users] Dies MY Snort running with mysql keeps dieing. Anyone have a good tool to monitor status of Snort? --__--__-- Message: 7 Date: Wed, 12 Jun 2002 17:08:11 -0400 To: Jason Martin <jmartin () hhsc org>, snort-users () lists sourceforge net From: matt <mkettler () evi-inc com> Subject: Re: [Snort-users] Configuration HELP! (understanding alerts and proxies) This indicates that the machine xx.xx.xx.243 contacted (or attempted to at least) a socks proxy server on the xx.xx.xx.77 machine. THIS COULD BE NORMAL. If your network is set up such that you use a proxy server for your internet connection.. well.. then yes.. you've detected something normal. This kind of connection is generally only of concern when someone outside your network tries to connect to a proxy server inside it. Correct your definition of HOME_NET to only include machines under your control, and exclude those owned by your ISP to prevent such false alarms. Or configure EXTERNAL_NET to be !$HOME_NET instead of any. At 10:18 AM 6/12/2002 -1000, Jason Martin wrote:
Hello: Configuration: Snort WIN32 1.8 port on a Win2k Pro. Running snort from the command line: Snort -dev -c snort.conf Below is a snippet of my config file. I tried to set my variables so that only my PC would be considered "home" and snort would treat all other packets as being external. However, Snort is not logging IDS alerts except for activity from my machine (var HOME_NET). If I scan Snort machine from a test machine it detects nothing. As soon as I scan the test machine with my Snort machine, Snort lights up. To alleviate this problem I placed my IP address in the preprocessor portscan-ignorehosts section, that didn't work either. It is still alarming off of traffic sent from my PC. I must have mis-configured something and was hoping someone could shed some light on the situation. I've also noticed that any trigger events that do happen to be logged, all show traffic flow coming from my machine. **] [1:615:3] SCAN SOCKS Proxy attempt [**] [Classification: Attempted Information Leak] [Priority: 2] 06/10-11:40:24.538093 x.x.x.243:1282 -> x.x.x.77:1080 TCP TTL:128 TOS:0x0 ID:22013 IpLen:20 DgmLen:48 DF ******S* Seq: 0xDA7C045C Ack: 0x0 Win: 0x4000 TcpLen: 28 TCP Options (4) => MSS: 1460 NOP NOP SackOK [Xref => http://help.undernet.org/proxyscan/ <http://help.undernet.org/proxyscan/> ] The x.x.x.77 machine is the machine that was scanning me, but the traffic flow shows my machine responding to the proxy scan, it did not create an event showing a scan coming from the scanning machine. When I look at this, it makes me think I was scanning x.x.x.77. Or, am I just misunderstanding the log? Thanks in advance for any help. ~Jason =========================== var HOME_NET x.x.x.243/32 var EXTERNAL_NET any var SMTP $HOME_NET var HTTP_SERVERS $HOME_NET var SQL_SERVERS $HOME_NET var DNS_SERVERS $HOME_NET var RULE_PATH /rules preprocessor frag2 preprocessor stream4: detect_scans preprocessor stream4_reassemble preprocessor http_decode: 80 -unicode -cginull preprocessor rpc_decode: 111 32771 preprocessor bo: -nobrute preprocessor telnet_decode preprocessor portscan: $EXTERNAL_NET 2 1 portscan.log preprocessor portscan-ignorehosts: $HOME_NET Confidentiality Notice: This email message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure, or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. _______________________________________________________________ Sponsored by: ThinkGeek at http://www.ThinkGeek.com/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
--__--__-- Message: 8 From: Jason Martin <jmartin () hhsc org> To: "SNORT LIST (E-mail)" <snort-users () lists sourceforge net> Subject: : [Snort-users] Configuration HELP! (understanding alerts and pro xies) Date: Wed, 12 Jun 2002 11:51:13 -1000 Let me follow-up on this before I get similar responses. I don't think I was very clear. x.x.90.77 is a test machine I am using to scan my x.x.90.243 machine. The proxy scan is part of the scan I am using to emulate a PROXY scan attempt. The problem is the scan was from x.x.x.77 but my logs only show the ACK of my machine responding to x.x.x.77's request SYN port scan of my machine on that port. None of the other signatures for the port scan show up, in fact the only reason this was logged was because of the traffic generated by x.x.x.243. I'm looking for someone to point out where I misconfigured my config file so that it is detecting ONLY traffic generated by x.x.x.243 even though I have it in my portscan-ignore section. I guess it's two part; why is it not detecting any external scans, and why is it not pre-processing my ignore variable. Problem in a nutshell: IDS Signatures when scans are run from x.x.x.243 are captured in Logs. ALL scans from various other tests machines against x.x.x.243 do not log. I do however see the traffic when I am running snort -dev -c snort.conf, so the interface is grabbing the packets. I think I mis-configured my config file so it doesn't know how to properly alert me. Or I'm just not making any sense and the way I'm phrasing my problem isn't coming across correctly. I hope this made things a little clearer. ~Jason Confidentiality Notice: This email message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure, or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. --__--__-- Message: 9 Date: Wed, 12 Jun 2002 18:51:53 -0400 To: Jason Martin <jmartin () hhsc org>, "SNORT LIST (E-mail)" <snort-users () lists sourceforge net> From: Matt Kettler <mkettler () evi-inc com> Subject: Re: : [Snort-users] Configuration HELP! (understanding alerts and proxies) Ok, that clears things up a little bit. First question what version of snort are you running? You've said it's a 1.8 win32 port. Which one? If it is older than snort 1.8.5, upgrade. Some members of the 1.8.x family had very significant bugs and I'd not even bother trying to determine if it's a config file problem if you're running one. (ie: strange bugs in stream processing, strange bugs in the frag reassembler) http://www.snort.org/dl/binaries/ In general your config in your original email looks "good" at first glance, and that alert should not have occurred unless the proxy attempt rule you are using is any -> any instead of EXTERNAL_NET -> HOME_NET. You could try this: replace this: var HOME_NET x.x.x.243/32 with var HOME_NET [x.x.x.243/32] I know you should only need the braces for multi-IP cases, but I always use them myself. I doubt it will fix it, but won't take long to try. At 11:51 AM 6/12/2002 -1000, Jason Martin wrote:
Let me follow-up on this before I get similar responses. I don't think I was very clear. x.x.90.77 is a test machine I am using to scan my x.x.90.243 machine. The proxy scan is part of the scan I am using to emulate a PROXY scan attempt. The problem is the scan was from x.x.x.77 but my logs only show the ACK of my machine responding to x.x.x.77's request SYN port scan of my machine on that port. None of the other signatures for the port scan show up, in fact the only reason this was logged was because of the traffic generated by x.x.x.243. I'm looking for someone to point out where I misconfigured my config file so that it is detecting ONLY traffic generated by x.x.x.243 even though I have it in my portscan-ignore section. I guess it's two part; why is it not detecting any external scans, and why is it not pre-processing my ignore variable. Problem in a nutshell: IDS Signatures when scans are run from x.x.x.243 are captured in Logs. ALL scans from various other tests machines against x.x.x.243 do not log. I do however see the traffic when I am running snort -dev -c snort.conf, so the interface is grabbing the packets. I think I mis-configured my config file so it doesn't know how to properly alert me. Or I'm just not making any sense and the way I'm phrasing my problem isn't coming across correctly. I hope this made things a little clearer. ~Jason
--__--__-- Message: 10 From: "Michael Steele" <michaels () silicondefense com> To: "'Steven Williams'" <Steven.Williams () computershare com au> Cc: <snort-users () lists sourceforge net> Subject: RE: [Snort-users] Syslog on W2K Date: Wed, 12 Jun 2002 16:11:16 -0700 This is a multi-part message in MIME format. ------=_NextPart_000_0001_01C2122B.C8A49C40 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Steve, That won't work. You are going to have to use a 3rd party Syslog Server like Kiwi Syslog Daemon which will do everything you need, including emailing alerts, but not freeware. If you find anything else on the freeware side, could you let me know? I have a list of people looking for a freeware utility for emailing alerts on Windows. http://www.kiwisyslog.com/ -Michael -- Michael Steele | System Engineer / Support Technician mailto:michaels () silicondefense com Silicon Defense: IDS solutions - http://www.silicondefense.com Snort: Open Source Network IDS - http://www.snort.org -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] On Behalf Of Steven Williams Sent: Tuesday, June 11, 2002 8:57 PM To: 'snort-users () lists sourceforge net' Subject: [Snort-users] Syslog on W2K Hi, I am using snort 1.8.6 on W2K. I wish to log to the mysql database, but also log to a syslog server using the commands below; output alert_syslog: LOG_AUTH LOG_ALERT host=X.X.X.X output database: alert, mysql, user=username dbname=database sensor_name=sensor1 password=password host=X.X.X.X When I run snort, I get a warning message stating "Unrecognized syslog facility/priority: host=X.X.X.X" Has anyone successfully got snort to syslog to a remote syslog server? If so, can you let me know how you did it? Also, has anyone got anything like Swatch on a W32 machine to report from Syslog Files? Thanks Steve Steve Williams Communications Support Engineer Computershare Technology Services PH +61 3 92355651 FAX +61 3 94732409 www.computershare.com --- This email and any files transmitted with it are solely intended for the use of the addressee(s) and may contain information that is confidential and privileged. If you receive this email in error, please advise us by return email immediately. Please also disregard the contents of the email, delete it and destroy any copies immediately. Computershare Limited and its subsidiaries do not accept liability for the views expressed in the email or for the consequences of any computer viruses that may be transmitted with this email This email is also subject to copyright. No part of it should be reproduced, adapted or transmitted without the written consent of the copyright owner. ------=_NextPart_000_0001_01C2122B.C8A49C40 Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable <html xmlns:o=3D"urn:schemas-microsoft-com:office:office" = xmlns:w=3D"urn:schemas-microsoft-com:office:word" = xmlns:x=3D"urn:schemas-microsoft-com:office:excel" = xmlns:st1=3D"urn:schemas-microsoft-com:office:smarttags" = xmlns=3D"http://www.w3.org/TR/REC-html40"> <head> <META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; = charset=3Dus-ascii"> <meta name=3DProgId content=3DWord.Document> <meta name=3DGenerator content=3D"Microsoft Word 10"> <meta name=3DOriginator content=3D"Microsoft Word 10"> <link rel=3DFile-List href=3D"cid:filelist.xml@01C2122B.C7C586E0"> <o:SmartTagType = namespaceuri=3D"urn:schemas-microsoft-com:office:smarttags" name=3D"PersonName"/> <!--[if gte mso 9]><xml> <o:OfficeDocumentSettings> <o:DoNotRelyOnCSS/> </o:OfficeDocumentSettings> </xml><![endif]--><!--[if gte mso 9]><xml> <w:WordDocument> <w:SpellingState>Clean</w:SpellingState> <w:GrammarState>Clean</w:GrammarState> <w:DocumentKind>DocumentEmail</w:DocumentKind> <w:EnvelopeVis/> <w:Compatibility> <w:BreakWrappedTables/> <w:SnapToGridInCell/> <w:WrapTextWithPunct/> <w:UseAsianBreakRules/> <w:UseFELayout/> </w:Compatibility> <w:BrowserLevel>MicrosoftInternetExplorer4</w:BrowserLevel> </w:WordDocument> </xml><![endif]--><!--[if !mso]> <style> st1\:*{behavior:url(#default#ieooui) } </style> <![endif]--> <style> <!-- /* Font Definitions */ @font-face {font-family:SimSun; panose-1:2 1 6 0 3 1 1 1 1 1; mso-font-alt:\5B8B\4F53; mso-font-charset:134; mso-generic-font-family:auto; mso-font-pitch:variable; mso-font-signature:3 135135232 16 0 262145 0;} @font-face {font-family:Tahoma; panose-1:2 11 6 4 3 5 4 4 2 4; mso-font-charset:0; mso-generic-font-family:swiss; mso-font-pitch:variable; mso-font-signature:553679495 -2147483648 8 0 66047 0;} @font-face {font-family:"\@SimSun"; panose-1:2 1 6 0 3 1 1 1 1 1; mso-font-charset:134; mso-generic-font-family:auto; mso-font-pitch:variable; mso-font-signature:3 135135232 16 0 262145 0;} /* Style Definitions */ p.MsoNormal, li.MsoNormal, div.MsoNormal {mso-style-parent:""; margin:0in; margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:12.0pt; font-family:"Times New Roman"; mso-fareast-font-family:"Times New Roman";} a:link, span.MsoHyperlink {color:blue; text-decoration:underline; text-underline:single;} a:visited, span.MsoHyperlinkFollowed {color:purple; text-decoration:underline; text-underline:single;} p {mso-margin-top-alt:auto; margin-right:0in; mso-margin-bottom-alt:auto; margin-left:0in; mso-pagination:widow-orphan; font-size:12.0pt; font-family:"Times New Roman"; mso-fareast-font-family:SimSun;} code {font-family:"Courier New"; mso-ascii-font-family:"Courier New"; mso-fareast-font-family:SimSun; mso-hansi-font-family:"Courier New"; mso-bidi-font-family:"Courier New";} span.EmailStyle17 {mso-style-type:personal; mso-style-noshow:yes; mso-ansi-font-size:10.0pt; mso-bidi-font-size:10.0pt; font-family:Arial; mso-ascii-font-family:Arial; mso-hansi-font-family:Arial; mso-bidi-font-family:Arial; color:windowtext;} span.EmailStyle19 {mso-style-type:personal-reply; mso-style-noshow:yes; mso-ansi-font-size:10.0pt; mso-bidi-font-size:10.0pt; font-family:Arial; mso-ascii-font-family:Arial; mso-hansi-font-family:Arial; mso-bidi-font-family:Arial; color:navy;} span.SpellE {mso-style-name:""; mso-spl-e:yes;} span.GramE {mso-style-name:""; mso-gram-e:yes;} @page Section1 {size:8.5in 11.0in; margin:1.0in 1.25in 1.0in 1.25in; mso-header-margin:.5in; mso-footer-margin:.5in; mso-paper-source:0;} div.Section1 {page:Section1;} --> </style> <!--[if gte mso 10]> <style> /* Style Definitions */=20 table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-parent:""; mso-padding-alt:0in 5.4pt 0in 5.4pt; mso-para-margin:0in; mso-para-margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:10.0pt; font-family:"Times New Roman";} </style> <![endif]--> </head> <body lang=3DEN-US link=3Dblue vlink=3Dpurple = style=3D'tab-interval:.5in'> <div class=3DSection1> <p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span = style=3D'font-size: 10.0pt;font-family:Arial;color:navy'>Steve,<o:p></o:p></span></font></p> <p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span = style=3D'font-size: 10.0pt;font-family:Arial;color:navy'><o:p> </o:p></span></font></p> <p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span = style=3D'font-size: 10.0pt;font-family:Arial;color:navy'>That won’t work. You are = going to have to use a 3<sup>rd</sup> party <span class=3DSpellE>Syslog</span> = Server like Kiwi <span class=3DSpellE>Syslog</span> Daemon which will do everything = you need, including emailing alerts, but not = freeware.<o:p></o:p></span></font></p> <p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span = style=3D'font-size: 10.0pt;font-family:Arial;color:navy'><o:p> </o:p></span></font></p> <p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span = style=3D'font-size: 10.0pt;font-family:Arial;color:navy'>If you find anything else on the = freeware side, could you let me know? I have a list of people looking for a = freeware utility for emailing alerts on Windows.<o:p></o:p></span></font></p> <p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span = style=3D'font-size: 10.0pt;font-family:Arial;color:navy'><o:p> </o:p></span></font></p> <p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span = style=3D'font-size: 10.0pt;font-family:Arial;color:navy'><a = href=3D"http://www.kiwisyslog.com/">http://www.kiwisyslog.com/</a><o:p></= o:p></span></font></p> <div> <p style=3D'margin-bottom:12.0pt'><font size=3D2 color=3Dnavy = face=3D"Times New Roman"><span style=3D'font-size:10.0pt;color:navy;mso-no-proof:yes'>-Michael<br> --<br> </span></font><st1:PersonName><font size=3D2 color=3Dnavy><span style=3D'font-size:10.0pt;color:navy;mso-no-proof:yes'>Michael = Steele</span></font></st1:PersonName><font size=3D2 color=3Dnavy><span = style=3D'font-size:10.0pt;color:navy;mso-no-proof:yes'> | System Engineer / Support Technician<br> <a = href=3D"mailto:michaels () silicondefense com">mailto:michaels@silicondefens= e.com</a><br> Silicon Defense: IDS solutions - <a = href=3D"http://www.silicondefense.com">http://www.silicondefense.com</a><= br> Snort: Open Source Network IDS - <a = href=3D"http://www.snort.org">http://www.snort.org</a><br style=3D'mso-special-character:line-break'> <![if !supportLineBreakNewLine]><br = style=3D'mso-special-character:line-break'> <![endif]></span></font><o:p></o:p></p> </div> <p class=3DMsoNormal style=3D'margin-left:.5in'><font size=3D2 = face=3DTahoma><span style=3D'font-size:10.0pt;font-family:Tahoma;mso-fareast-font-family:SimS= un'>-----Original Message-----<br> <b><span style=3D'font-weight:bold'>From:</span></b> snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] <b><span = style=3D'font-weight: bold'>On Behalf Of </span></b>Steven Williams<br> <b><span style=3D'font-weight:bold'>Sent:</span></b> Tuesday, June 11, = 2002 8:57 PM<br> <b><span style=3D'font-weight:bold'>To:</span></b> = '</span></font><st1:PersonName><font size=3D2 face=3DTahoma><span = style=3D'font-size:10.0pt;font-family:Tahoma; = mso-fareast-font-family:SimSun'>snort-users () lists sourceforge net</span><= /font></st1:PersonName><font size=3D2 face=3DTahoma><span = style=3D'font-size:10.0pt;font-family:Tahoma;mso-fareast-font-family: SimSun'>'<br> <b><span style=3D'font-weight:bold'>Subject:</span></b> [Snort-users] = Syslog on W2K</span></font></p> <p class=3DMsoNormal style=3D'margin-left:.5in'><font size=3D3 = face=3D"Times New Roman"><span style=3D'font-size:12.0pt'><o:p> </o:p></span></font></p> <p class=3DMsoNormal = style=3D'margin-left:.5in;mso-layout-grid-align:none; text-autospace:none'><font size=3D2 face=3D"Courier New"><span = style=3D'font-size: 10.0pt;font-family:"Courier New"'>Hi,<o:p></o:p></span></font></p> <p class=3DMsoNormal = style=3D'margin-left:.5in;mso-layout-grid-align:none; text-autospace:none'><font size=3D2 face=3D"Courier New"><span = style=3D'font-size: 10.0pt;font-family:"Courier New"'><span = style=3D'mso-spacerun:yes'> </span><o:p></o:p></span></font></p> <p class=3DMsoNormal = style=3D'margin-left:.5in;mso-layout-grid-align:none; text-autospace:none'><font size=3D2 face=3D"Courier New"><span = style=3D'font-size: 10.0pt;font-family:"Courier New"'>I am using snort 1.8.6 on = W2K.<o:p></o:p></span></font></p> <p class=3DMsoNormal = style=3D'margin-left:.5in;mso-layout-grid-align:none; text-autospace:none'><font size=3D2 face=3D"Courier New"><span = style=3D'font-size: 10.0pt;font-family:"Courier New"'><span = style=3D'mso-spacerun:yes'> </span><o:p></o:p></span></font></p> <p class=3DMsoNormal = style=3D'margin-left:.5in;mso-layout-grid-align:none; text-autospace:none'><font size=3D2 face=3D"Courier New"><span = style=3D'font-size: 10.0pt;font-family:"Courier New"'>I wish to log to the mysql database, = but also log to a syslog server using the commands = below;<o:p></o:p></span></font></p> <p class=3DMsoNormal = style=3D'margin-left:.5in;mso-layout-grid-align:none; text-autospace:none'><font size=3D2 face=3D"Courier New"><span = style=3D'font-size: 10.0pt;font-family:"Courier New"'><span = style=3D'mso-spacerun:yes'> </span><o:p></o:p></span></font></p> <p class=3DMsoNormal = style=3D'margin-left:.5in;mso-layout-grid-align:none; text-autospace:none'><font size=3D2 face=3D"Courier New"><span = style=3D'font-size: 10.0pt;font-family:"Courier New"'>output alert_syslog: LOG_AUTH = LOG_ALERT host=3DX.X.X.X<o:p></o:p></span></font></p> <p class=3DMsoNormal = style=3D'margin-left:.5in;mso-layout-grid-align:none; text-autospace:none'><font size=3D2 face=3D"Courier New"><span = style=3D'font-size: 10.0pt;font-family:"Courier New"'>output database: alert, mysql, = user=3Dusername dbname=3Ddatabase sensor_name=3Dsensor1 password=3Dpassword = host=3DX.X.X.X<o:p></o:p></span></font></p> <p class=3DMsoNormal = style=3D'margin-left:.5in;mso-layout-grid-align:none; text-autospace:none'><font size=3D2 face=3D"Courier New"><span = style=3D'font-size: 10.0pt;font-family:"Courier New"'><span = style=3D'mso-spacerun:yes'> </span><o:p></o:p></span></font></p> <p class=3DMsoNormal = style=3D'margin-left:.5in;mso-layout-grid-align:none; text-autospace:none'><font size=3D2 face=3D"Courier New"><span = style=3D'font-size: 10.0pt;font-family:"Courier New"'>When I run snort, I get a warning = message stating "Unrecognized syslog facility/priority: = host=3DX.X.X.X"<o:p></o:p></span></font></p> <p class=3DMsoNormal = style=3D'margin-left:.5in;mso-layout-grid-align:none; text-autospace:none'><font size=3D2 face=3D"Courier New"><span = style=3D'font-size: 10.0pt;font-family:"Courier New"'><span = style=3D'mso-spacerun:yes'> </span><o:p></o:p></span></font></p> <p class=3DMsoNormal = style=3D'margin-left:.5in;mso-layout-grid-align:none; text-autospace:none'><font size=3D2 face=3D"Courier New"><span = style=3D'font-size: 10.0pt;font-family:"Courier New"'>Has anyone successfully got snort to = syslog to a remote syslog server? If so, can you let me know how you did = it?<o:p></o:p></span></font></p> <p class=3DMsoNormal = style=3D'margin-left:.5in;mso-layout-grid-align:none; text-autospace:none'><font size=3D2 face=3D"Courier New"><span = style=3D'font-size: 10.0pt;font-family:"Courier New"'><span = style=3D'mso-spacerun:yes'> </span><o:p></o:p></span></font></p> <p class=3DMsoNormal = style=3D'margin-left:.5in;mso-layout-grid-align:none; text-autospace:none'><font size=3D2 face=3D"Courier New"><span = style=3D'font-size: 10.0pt;font-family:"Courier New"'>Also, has anyone got anything like = Swatch on a W32 machine to report from Syslog Files?<o:p></o:p></span></font></p> <p class=3DMsoNormal = style=3D'margin-left:.5in;mso-layout-grid-align:none; text-autospace:none'><font size=3D2 face=3D"Courier New"><span = style=3D'font-size: 10.0pt;font-family:"Courier New"'><span = style=3D'mso-spacerun:yes'> </span><o:p></o:p></span></font></p> <p class=3DMsoNormal = style=3D'margin-left:.5in;mso-layout-grid-align:none; text-autospace:none'><font size=3D2 face=3D"Courier New"><span = style=3D'font-size: 10.0pt;font-family:"Courier New"'>Thanks<o:p></o:p></span></font></p> <p class=3DMsoNormal = style=3D'margin-left:.5in;mso-layout-grid-align:none; text-autospace:none'><font size=3D2 face=3D"Courier New"><span = style=3D'font-size: 10.0pt;font-family:"Courier New"'><span = style=3D'mso-spacerun:yes'> </span><o:p></o:p></span></font></p> <p class=3DMsoNormal = style=3D'margin-left:.5in;mso-layout-grid-align:none; text-autospace:none'><font size=3D2 face=3D"Courier New"><span = style=3D'font-size: 10.0pt;font-family:"Courier New"'>Steve<o:p></o:p></span></font></p> <p class=3DMsoNormal style=3D'margin-left:.5in'><font size=3D2 = face=3DArial><span style=3D'font-size:10.0pt;font-family:Arial'><o:p> </o:p></span></fo= nt></p> <p class=3DMsoNormal style=3D'margin-left:.5in'><font size=3D2 = face=3DArial><span style=3D'font-size:10.0pt;font-family:Arial'><o:p> </o:p></span></fo= nt></p> <p class=3DMsoNormal style=3D'margin-left:.5in'><b><font size=3D2 = color=3Dpurple face=3DArial><span = style=3D'font-size:10.0pt;font-family:Arial;color:purple; font-weight:bold;mso-no-proof:yes'>Steve Williams</span></font></b><span style=3D'mso-no-proof:yes'><o:p></o:p></span></p> <p class=3DMsoNormal style=3D'margin-left:.5in'><font size=3D2 = color=3Dpurple face=3DArial><span = style=3D'font-size:10.0pt;font-family:Arial;color:purple; mso-no-proof:yes'>Communications </span></font><st1:PersonName><font = size=3D2 color=3Dpurple face=3DArial><span = style=3D'font-size:10.0pt;font-family:Arial; = color:purple;mso-no-proof:yes'>Support</span></font></st1:PersonName><fon= t size=3D2 color=3Dpurple face=3DArial><span = style=3D'font-size:10.0pt;font-family:Arial; color:purple;mso-no-proof:yes'> Engineer</span></font><span = style=3D'mso-no-proof: yes'><o:p></o:p></span></p> <p class=3DMsoNormal style=3D'margin-left:.5in'><font size=3D2 = color=3Dpurple face=3DArial><span = style=3D'font-size:10.0pt;font-family:Arial;color:purple; mso-no-proof:yes'>Computershare Technology Services</span></font><span style=3D'mso-no-proof:yes'><o:p></o:p></span></p> <p class=3DMsoNormal style=3D'margin-left:.5in'><font size=3D3 = face=3D"Times New Roman"><span style=3D'font-size:12.0pt;mso-no-proof:yes'> <o:p></o:p></span></fon= t></p> <p class=3DMsoNormal style=3D'margin-left:.5in'><font size=3D2 = color=3Dpurple face=3DArial><span = style=3D'font-size:10.0pt;font-family:Arial;color:purple; mso-no-proof:yes'>PH +61 3 92355651</span></font><span = style=3D'mso-no-proof: yes'><o:p></o:p></span></p> <p class=3DMsoNormal style=3D'margin-left:.5in'><font size=3D2 = color=3Dpurple face=3DArial><span = style=3D'font-size:10.0pt;font-family:Arial;color:purple; mso-no-proof:yes'>FAX +61 3 94732409</span></font><span = style=3D'mso-no-proof: yes'><o:p></o:p></span></p> <p class=3DMsoNormal style=3D'margin-left:.5in'><font size=3D2 = face=3DArial><span style=3D'font-size:10.0pt;font-family:Arial;mso-no-proof:yes'><a href=3D"http://www.computershare.com">www.computershare.com</a></span></f= ont><o:p></o:p></p> <p class=3DMsoNormal style=3D'margin-left:.5in'><font size=3D3 = face=3D"Times New Roman"><span style=3D'font-size:12.0pt'><o:p> </o:p></span></font></p> <p class=3DMsoNormal style=3D'margin-left:.5in'><font size=3D3 = face=3D"Courier New"><span style=3D'font-size:12.0pt;font-family:"Courier = New";mso-fareast-font-family:SimSun'><br> <br> <code><font face=3D"Courier New"><span = style=3D'mso-ansi-font-size:12.0pt; mso-bidi-font-size:12.0pt'>---</span></font></code><br> <code><font face=3D"Courier New"><span = style=3D'mso-ansi-font-size:12.0pt; mso-bidi-font-size:12.0pt'>This email and any files transmitted with it = are solely intended for the use of the</span></font></code><br> <code><font face=3D"Courier New"><span = style=3D'mso-ansi-font-size:12.0pt; mso-bidi-font-size:12.0pt'>addressee(s) and may contain information that = is confidential and privileged. If you</span></font></code><br> <code><font face=3D"Courier New"><span = style=3D'mso-ansi-font-size:12.0pt; mso-bidi-font-size:12.0pt'>receive this email in error, please advise us = by return email immediately. Please also</span></font></code><br> <code><font face=3D"Courier New"><span = style=3D'mso-ansi-font-size:12.0pt; mso-bidi-font-size:12.0pt'>disregard the contents of the email, delete = it and destroy any copies immediately.</span></font></code><br> <code><font face=3D"Courier New"><span = style=3D'mso-ansi-font-size:12.0pt; mso-bidi-font-size:12.0pt'>Computershare Limited and its subsidiaries do = not accept liability for the views</span></font></code><br> <code><font face=3D"Courier New"><span = style=3D'mso-ansi-font-size:12.0pt; mso-bidi-font-size:12.0pt'>expressed in the email or for the = consequences of any computer viruses that may be</span></font></code><br> <code><font face=3D"Courier New"><span = style=3D'mso-ansi-font-size:12.0pt; mso-bidi-font-size:12.0pt'>transmitted with this = email</span></font></code><br> <br> <code><font face=3D"Courier New"><span = style=3D'mso-ansi-font-size:12.0pt; mso-bidi-font-size:12.0pt'>This email is also subject to copyright. No = part of it should be reproduced, adapted or </span></font></code><br> <code><font face=3D"Courier New"><span = style=3D'mso-ansi-font-size:12.0pt; mso-bidi-font-size:12.0pt'>transmitted without the written consent of = the copyright owner.</span></font></code></span></font><span = style=3D'mso-fareast-font-family: SimSun'><o:p></o:p></span></p> </div> </body> </html> ------=_NextPart_000_0001_01C2122B.C8A49C40-- --__--__-- _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-users End of Snort-users Digest _______________________________________________________________ Sponsored by: ThinkGeek at http://www.ThinkGeek.com/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- RE: Snort-users digest, Vol 1 #1962 - 13 msgs Jessup, Justin (Jun 12)