Snort mailing list archives
RE: Snort-users digest, Vol 1 #1962 - 13 msgs
From: "Jessup, Justin" <Justin.Jessup () usdoj gov>
Date: Wed, 12 Jun 2002 19:50:26 -0400
answer to #1 go to vi snort.conf go to the output data section where you input username= password= host= # add sensor_name=falcon you need to assign a sensor name add sensor_name=condor #or whatever you want your sensor to be named also make sure your database permissions allow your user=snort to connect as either the IP address of the remote mysql server or if mysql server is localhost make sure the database permissions are allow user=snort to have full control rwx to the snort_log database or whatever you named your databases respectfully, justin jessup -----Original Message----- From: /DDV=snort-users-request () lists sourceforge net/DDT=RFC-822/O=INETGW/P=GO V+DOJ/A=TELEMAIL/C=US/ [mailto:/DDV=snort-users-request () lists sourceforge net/DDT=RFC-822/O=INE TGW/P=GOV+DOJ/A=TELEMAIL/C=US/] Sent: Wednesday, June 12, 2002 7:11 PM To: snort-users () lists sourceforge net Subject: Snort-users digest, Vol 1 #1962 - 13 msgs Importance: Low Send Snort-users mailing list submissions to snort-users () lists sourceforge net To subscribe or unsubscribe via the World Wide Web, visit https://lists.sourceforge.net/lists/listinfo/snort-users or, via email, send a message with subject or body 'help' to snort-users-request () lists sourceforge net You can reach the person managing the list at snort-users-admin () lists sourceforge net When replying, please edit your Subject line so it is more specific than "Re: Contents of Snort-users digest..." Today's Topics: 1. Re: snort with mysql and acid (roman () danyliw com) 2. (no subject) (Richard Houston) 3. Re: Detecting concurrent connections (matt) 4. Re: (no subject) (Erek Adams) 5. Configuration HELP! (Jason Martin) 6. Dies (Bravard, Paul) 7. Re: Configuration HELP! (understanding alerts and proxies) (matt) 8. : [Snort-users] Configuration HELP! (understanding alerts and pro xies) (Jason Martin) 9. Re: : [Snort-users] Configuration HELP! (understanding alerts and proxies) (Matt Kettler) 10. RE: Syslog on W2K (Michael Steele) --__--__-- Message: 1 To: C White <cwhite () theatomicmoose ca> Cc: snort-users () lists sourceforge net From: roman () danyliw com Subject: Re: [Snort-users] snort with mysql and acid Date: Wed, 12 Jun 2002 15:10:07 EDT Take a look at the suggestions in Question #B1 of the database FAQ: http://www.andrew.cmu.edu/~rdanyliw/snort/snortdb/snortdb_faq.html Roman
i have snort up and running, however i want it to log to a mysql db, it looks like i've configured everything properly, the database plugin has been configured, and it still insists on logging everything to a text file when i run snort from the console everything appears fine except for the fact that it is logging to a text file this is what i get when i run it on the console database: compiled support for ( mysql ) database: configured to use mysql database: user = snort database: password is set database: database name = snort database: host = database: sensor name = database: sensor id = 1 database: schema version = 105 database: using the "log" facility am i missing something in the snort.conf file any help will be greatly appreciated many thanks _______________________________________________________________ Sponsored by: ThinkGeek at http://www.ThinkGeek.com/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
---------------------------------------------
This message was sent using Voicenet WebMail.
http://www.voicenet.com/webmail/
--__--__--
Message: 2
Date: Wed, 12 Jun 2002 13:27:03 +0500 (CDT)
From: "Richard Houston" <rhouston () rlhc net>
To: <snort-users () lists sourceforge net>
Subject: [Snort-users] (no subject)
Hello all,
I need some help with setting up snort as a NIDS.
I have version 1.8.3 installed on a RH 6.2 machine attached to 2 stacked
3com hubs. If I port scan the snort host I get lots of log messages
related to the port scan, I all so use typhon to scan the snort host with
a selection of exploits Scan and all seems fine. I have all messages
going to syslog.
Now here is the issue. If I scan a host other than the snort host, snort
does not log anything.
Here is the command I used to start snort.
/usr/sbin/snort -dev -h 10.1.1.0/24 -l /var/log/snort -d -D -i eth0 -c
/etc/snort/snort.conf
Here is the out put of ifconfig:
eth0 Link encap:Ethernet HWaddr 00:60:97:AE:0C:05
inet addr:10.1.1.2 Bcast:10.1.1.255 Mask:255.255.255.0
UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1
RX packets:19415209 errors:248 dropped:0 overruns:0 frame:248
TX packets:439766 errors:0 dropped:0 overruns:0 carrier:0
collisions:19226 txqueuelen:100
Interrupt:10 Base address:0x300
Any help would be greatly appreciated.
--
Thanks in advance
Rich
-----------------------------------------
This email was sent using SquirrelMail.
"Webmail for nuts!"
http://squirrelmail.org/
--__--__--
Message: 3
Date: Wed, 12 Jun 2002 15:43:02 -0400
To: Renato =?iso-8859-1?Q?Ara=FAjo?= <renato () escelsa com br>,
snort-users () lists sourceforge net
From: matt <mkettler () evi-inc com>
Subject: Re: [Snort-users] Detecting concurrent connections
Agreed, snort is not stateful in this respect.
Currently I'd see that this is the kind of thing that really has 2=20
solutions outside of using snort:
1) I'd suspect that it is possible for some stateful firewalls to implement=
=20
connect rate limiting (since they have to track connection states anyway).=
=20
This would really only slow them down unless it had some kind of "if they=20
try to exceed this threshold, shun that IP for an extended period of time"
2) It might be possible to set up some kind of perl-script log watcher that=
=20
looks for a large number of "user unknown" errors being generated from the=
=20
same originating IP and just add that IP to your /etc/mail/access file (or=
=20
whatever similar blocking file your mailserver uses).
Simultaneous state and time based analysis isn't really much the domain of=
=20
the current version of snort, which is really looking for intrusion=20
signatures, portscans (large number of different ports over time), and=20
anomolous syn packets. There are some stateful aspects, and some time=20
aspects, but none that analyze state and time currently.
There's been some talk in the past of modifying spp_portscan to create a=20
spp_synflood (looking for a large number of syn connections to the same=20
port in a given time window), but this doesn't really determine how many of=
=20
these connections are concurrent. Dig in the archives, someone once posted=
=20
a small patch to get that effect.
At 12:03 PM 6/12/2002 -0300, Renato Ara=FAjo wrote:
I want to configure snort rule to detect if there is a a number of concurrent conections to a server. Example, I want snort to detect if anyone has 15 or more conections simultaneously established to my smtp server. Anyone knows if this is possible. I need this because someone used a program that send tons of emails to my server to discover valid emails. I solved the problem by blocking the IP with iptables, but I'm looking for a automated solution. Atenciosamente (sincerely), Renato Ara=FAjo --------------------------------------------- Unix _IS_ user friendly - it`s just selective about who its friends are ! _______________________________________________________________ Sponsored by: ThinkGeek at http://www.ThinkGeek.com/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=3Dsnort-users
--__--__-- Message: 4 Date: Wed, 12 Jun 2002 13:01:27 -0700 (PDT) From: Erek Adams <erek () theadamsfamily net> To: Richard Houston <rhouston () rlhc net> cc: snort-users () lists sourceforge net Subject: Re: [Snort-users] (no subject) On Wed, 12 Jun 2002, Richard Houston wrote:
I need some help with setting up snort as a NIDS. I have version 1.8.3 installed on a RH 6.2 machine attached to 2 stacked
Consider upgrading. 1.8.6 is the most current, with 1.8.7beta6 in the works. There are lots of little 'gotchas' that were fixed in the 1.8.x line.
3com hubs. If I port scan the snort host I get lots of log messages related to the port scan, I all so use typhon to scan the snort host with a selection of exploits Scan and all seems fine. I have all messages going to syslog. Now here is the issue. If I scan a host other than the snort host, snort does not log anything.
Yep. Sounds just like:
http://www.snort.org/docs/faq.html#6.21
Here is the command I used to start snort. /usr/sbin/snort -dev -h 10.1.1.0/24 -l /var/log/snort -d -D -i eth0 -c /etc/snort/snort.conf
If you're running snort as a daemon, then you don't need '-d, -v, -e, and -d'.
-ved tells snort to write to STDOUT and to decode the packts on the fly. -D
uncouples snort from STDOUT, but due to the other switches, snort is still
trying to decode and print those things--wasting CPU.
[...snip...]
You might also want to check what $HOME_NET and $EXTERNAL_NET are set to. I
would suggest:
var HOME_NET 10.1.1.0/24
var EXTERNAL_NET !$HOME_NET
as a starting point--If they aren't like that already.
Oh, and try to give us a subject line next time. Somefolks sort email based
on subjects.... And that's the common subject sent to /dev/null. ;-)
Cheers!
-----
Erek Adams
Nifty-Type-Guy
TheAdamsFamily.Net
--__--__--
Message: 5
From: Jason Martin <jmartin () hhsc org>
To: snort-users () lists sourceforge net
Date: Wed, 12 Jun 2002 10:18:25 -1000
Subject: [Snort-users] Configuration HELP!
Hello:
Configuration: Snort WIN32 1.8 port on a Win2k Pro.
Running snort from the command line:
Snort -dev -c snort.conf
Below is a snippet of my config file.
I tried to set my variables so that only my PC would be considered "home"
and snort would treat all other packets as being external. However, Snort
is not logging IDS alerts except for activity from my machine (var
HOME_NET). If I scan Snort machine from a test machine it detects nothing.
As soon as I scan the test machine with my Snort machine, Snort lights up.
To alleviate this problem I placed my IP address in the preprocessor
portscan-ignorehosts section, that didn't work either. It is still alarming
off of traffic sent from my PC.
I must have mis-configured something and was hoping someone could shed some
light on the situation.
I've also noticed that any trigger events that do happen to be logged, all
show traffic flow coming from my machine.
**] [1:615:3] SCAN SOCKS Proxy attempt [**]
[Classification: Attempted Information Leak] [Priority: 2]
06/10-11:40:24.538093 x.x.x.243:1282 -> x.x.x.77:1080
TCP TTL:128 TOS:0x0 ID:22013 IpLen:20 DgmLen:48 DF
******S* Seq: 0xDA7C045C Ack: 0x0 Win: 0x4000 TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK
[Xref => http://help.undernet.org/proxyscan/
<http://help.undernet.org/proxyscan/> ]
The x.x.x.77 machine is the machine that was scanning me, but the traffic
flow shows my machine responding to the proxy scan, it did not create an
event showing a scan coming from the scanning machine. When I look at this,
it makes me think I was scanning x.x.x.77. Or, am I just misunderstanding
the log?
Thanks in advance for any help.
~Jason
===========================
var HOME_NET x.x.x.243/32
var EXTERNAL_NET any
var SMTP $HOME_NET
var HTTP_SERVERS $HOME_NET
var SQL_SERVERS $HOME_NET
var DNS_SERVERS $HOME_NET
var RULE_PATH /rules
preprocessor frag2
preprocessor stream4: detect_scans
preprocessor stream4_reassemble
preprocessor http_decode: 80 -unicode -cginull
preprocessor rpc_decode: 111 32771
preprocessor bo: -nobrute
preprocessor telnet_decode
preprocessor portscan: $EXTERNAL_NET 2 1 portscan.log
preprocessor portscan-ignorehosts: $HOME_NET
Confidentiality Notice:
This email message, including any attachments, is for the sole use of
the intended recipient(s) and may contain confidential and privileged
information. Any unauthorized review, use, disclosure, or distribution
is prohibited. If you are not the intended recipient, please contact
the sender by reply e-mail and destroy all copies of the original message.
--__--__--
Message: 6
From: "Bravard, Paul" <PBravard () reillyind com>
To: snort-users () lists sourceforge net
Date: Wed, 12 Jun 2002 15:38:40 -0500
Subject: [Snort-users] Dies
MY Snort running with mysql keeps dieing. Anyone have a good tool to monitor
status of Snort?
--__--__--
Message: 7
Date: Wed, 12 Jun 2002 17:08:11 -0400
To: Jason Martin <jmartin () hhsc org>, snort-users () lists sourceforge net
From: matt <mkettler () evi-inc com>
Subject: Re: [Snort-users] Configuration HELP! (understanding alerts
and proxies)
This indicates that the machine xx.xx.xx.243 contacted (or attempted to at
least) a socks proxy server on the xx.xx.xx.77 machine.
THIS COULD BE NORMAL.
If your network is set up such that you use a proxy server for your
internet connection.. well.. then yes.. you've detected something normal.
This kind of connection is generally only of concern when someone outside
your network tries to connect to a proxy server inside it.
Correct your definition of HOME_NET to only include machines under your
control, and exclude those owned by your ISP to prevent such false alarms.
Or configure EXTERNAL_NET to be !$HOME_NET instead of any.
At 10:18 AM 6/12/2002 -1000, Jason Martin wrote:
Hello: Configuration: Snort WIN32 1.8 port on a Win2k Pro. Running snort from the command line: Snort -dev -c snort.conf Below is a snippet of my config file. I tried to set my variables so that only my PC would be considered "home" and snort would treat all other packets as being external. However, Snort is not logging IDS alerts except for activity from my machine (var HOME_NET). If I scan Snort machine from a test machine it detects nothing. As soon as I scan the test machine with my Snort machine, Snort lights up. To alleviate this problem I placed my IP address in the preprocessor portscan-ignorehosts section, that didn't work either. It is still alarming off of traffic sent from my PC. I must have mis-configured something and was hoping someone could shed some light on the situation. I've also noticed that any trigger events that do happen to be logged, all show traffic flow coming from my machine. **] [1:615:3] SCAN SOCKS Proxy attempt [**] [Classification: Attempted Information Leak] [Priority: 2] 06/10-11:40:24.538093 x.x.x.243:1282 -> x.x.x.77:1080 TCP TTL:128 TOS:0x0 ID:22013 IpLen:20 DgmLen:48 DF ******S* Seq: 0xDA7C045C Ack: 0x0 Win: 0x4000 TcpLen: 28 TCP Options (4) => MSS: 1460 NOP NOP SackOK [Xref => http://help.undernet.org/proxyscan/ <http://help.undernet.org/proxyscan/> ] The x.x.x.77 machine is the machine that was scanning me, but the traffic flow shows my machine responding to the proxy scan, it did not create an event showing a scan coming from the scanning machine. When I look at this, it makes me think I was scanning x.x.x.77. Or, am I just misunderstanding the log? Thanks in advance for any help. ~Jason =========================== var HOME_NET x.x.x.243/32 var EXTERNAL_NET any var SMTP $HOME_NET var HTTP_SERVERS $HOME_NET var SQL_SERVERS $HOME_NET var DNS_SERVERS $HOME_NET var RULE_PATH /rules preprocessor frag2 preprocessor stream4: detect_scans preprocessor stream4_reassemble preprocessor http_decode: 80 -unicode -cginull preprocessor rpc_decode: 111 32771 preprocessor bo: -nobrute preprocessor telnet_decode preprocessor portscan: $EXTERNAL_NET 2 1 portscan.log preprocessor portscan-ignorehosts: $HOME_NET Confidentiality Notice: This email message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure, or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. _______________________________________________________________ Sponsored by: ThinkGeek at http://www.ThinkGeek.com/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
--__--__--
Message: 8
From: Jason Martin <jmartin () hhsc org>
To: "SNORT LIST (E-mail)" <snort-users () lists sourceforge net>
Subject: : [Snort-users] Configuration HELP! (understanding alerts and pro
xies)
Date: Wed, 12 Jun 2002 11:51:13 -1000
Let me follow-up on this before I get similar responses. I don't think I was
very clear.
x.x.90.77 is a test machine I am using to scan my x.x.90.243 machine. The
proxy scan is part of the scan I am using to emulate a PROXY scan attempt.
The problem is the scan was from x.x.x.77 but my logs only show the ACK of
my machine responding to x.x.x.77's request SYN port scan of my machine on
that port. None of the other signatures for the port scan show up, in fact
the only reason this was logged was because of the traffic generated by
x.x.x.243. I'm looking for someone to point out where I misconfigured my
config file so that it is detecting ONLY traffic generated by x.x.x.243 even
though I have it in my portscan-ignore section. I guess it's two part; why
is it not detecting any external scans, and why is it not pre-processing my
ignore variable.
Problem in a nutshell:
IDS Signatures when scans are run from x.x.x.243 are captured in Logs. ALL
scans from various other tests machines against x.x.x.243 do not log. I do
however see the traffic when I am running snort -dev -c snort.conf, so the
interface is grabbing the packets. I think I mis-configured my config file
so it doesn't know how to properly alert me. Or I'm just not making any
sense and the way I'm phrasing my problem isn't coming across correctly. I
hope this made things a little clearer.
~Jason
Confidentiality Notice:
This email message, including any attachments, is for the sole use of
the intended recipient(s) and may contain confidential and privileged
information. Any unauthorized review, use, disclosure, or distribution
is prohibited. If you are not the intended recipient, please contact
the sender by reply e-mail and destroy all copies of the original message.
--__--__--
Message: 9
Date: Wed, 12 Jun 2002 18:51:53 -0400
To: Jason Martin <jmartin () hhsc org>,
"SNORT LIST (E-mail)" <snort-users () lists sourceforge net>
From: Matt Kettler <mkettler () evi-inc com>
Subject: Re: : [Snort-users] Configuration HELP! (understanding alerts
and proxies)
Ok, that clears things up a little bit.
First question what version of snort are you running?
You've said it's a 1.8 win32 port. Which one? If it is older than snort
1.8.5, upgrade. Some members of the 1.8.x family had very significant bugs
and I'd not even bother trying to determine if it's a config file problem
if you're running one. (ie: strange bugs in stream processing, strange bugs
in the frag reassembler)
http://www.snort.org/dl/binaries/
In general your config in your original email looks "good" at first glance,
and that alert should not have occurred unless the proxy attempt rule you
are using is any -> any instead of EXTERNAL_NET -> HOME_NET.
You could try this:
replace this:
var HOME_NET x.x.x.243/32
with
var HOME_NET [x.x.x.243/32]
I know you should only need the braces for multi-IP cases, but I always use
them myself. I doubt it will fix it, but won't take long to try.
At 11:51 AM 6/12/2002 -1000, Jason Martin wrote:
Let me follow-up on this before I get similar responses. I don't think I was
very clear.
x.x.90.77 is a test machine I am using to scan my x.x.90.243 machine. The
proxy scan is part of the scan I am using to emulate a PROXY scan attempt.
The problem is the scan was from x.x.x.77 but my logs only show the ACK of
my machine responding to x.x.x.77's request SYN port scan of my machine on
that port. None of the other signatures for the port scan show up, in fact
the only reason this was logged was because of the traffic generated by
x.x.x.243. I'm looking for someone to point out where I misconfigured my
config file so that it is detecting ONLY traffic generated by x.x.x.243 even
though I have it in my portscan-ignore section. I guess it's two part; why
is it not detecting any external scans, and why is it not pre-processing my
ignore variable.
Problem in a nutshell:
IDS Signatures when scans are run from x.x.x.243 are captured in Logs. ALL
scans from various other tests machines against x.x.x.243 do not log. I do
however see the traffic when I am running snort -dev -c snort.conf, so the
interface is grabbing the packets. I think I mis-configured my config file
so it doesn't know how to properly alert me. Or I'm just not making any
sense and the way I'm phrasing my problem isn't coming across correctly. I
hope this made things a little clearer.
~Jason
--__--__--
Message: 10
From: "Michael Steele" <michaels () silicondefense com>
To: "'Steven Williams'" <Steven.Williams () computershare com au>
Cc: <snort-users () lists sourceforge net>
Subject: RE: [Snort-users] Syslog on W2K
Date: Wed, 12 Jun 2002 16:11:16 -0700
This is a multi-part message in MIME format.
------=_NextPart_000_0001_01C2122B.C8A49C40
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: 7bit
Steve,
That won't work. You are going to have to use a 3rd party Syslog Server
like Kiwi Syslog Daemon which will do everything you need, including
emailing alerts, but not freeware.
If you find anything else on the freeware side, could you let me know? I
have a list of people looking for a freeware utility for emailing alerts
on Windows.
http://www.kiwisyslog.com/
-Michael
--
Michael Steele | System Engineer / Support Technician
mailto:michaels () silicondefense com
Silicon Defense: IDS solutions - http://www.silicondefense.com
Snort: Open Source Network IDS - http://www.snort.org
-----Original Message-----
From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net] On Behalf Of Steven
Williams
Sent: Tuesday, June 11, 2002 8:57 PM
To: 'snort-users () lists sourceforge net'
Subject: [Snort-users] Syslog on W2K
Hi,
I am using snort 1.8.6 on W2K.
I wish to log to the mysql database, but also log to a syslog server
using the commands below;
output alert_syslog: LOG_AUTH LOG_ALERT host=X.X.X.X
output database: alert, mysql, user=username dbname=database
sensor_name=sensor1 password=password host=X.X.X.X
When I run snort, I get a warning message stating "Unrecognized syslog
facility/priority: host=X.X.X.X"
Has anyone successfully got snort to syslog to a remote syslog server?
If so, can you let me know how you did it?
Also, has anyone got anything like Swatch on a W32 machine to report
from Syslog Files?
Thanks
Steve
Steve Williams
Communications Support Engineer
Computershare Technology Services
PH +61 3 92355651
FAX +61 3 94732409
www.computershare.com
---
This email and any files transmitted with it are solely intended for the
use of the
addressee(s) and may contain information that is confidential and
privileged. If you
receive this email in error, please advise us by return email
immediately. Please also
disregard the contents of the email, delete it and destroy any copies
immediately.
Computershare Limited and its subsidiaries do not accept liability for
the views
expressed in the email or for the consequences of any computer viruses
that may be
transmitted with this email
This email is also subject to copyright. No part of it should be
reproduced, adapted or
transmitted without the written consent of the copyright owner.
------=_NextPart_000_0001_01C2122B.C8A49C40
Content-Type: text/html;
charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
<html xmlns:o=3D"urn:schemas-microsoft-com:office:office" =
xmlns:w=3D"urn:schemas-microsoft-com:office:word" =
xmlns:x=3D"urn:schemas-microsoft-com:office:excel" =
xmlns:st1=3D"urn:schemas-microsoft-com:office:smarttags" =
xmlns=3D"http://www.w3.org/TR/REC-html40";>
<head>
<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
charset=3Dus-ascii">
<meta name=3DProgId content=3DWord.Document>
<meta name=3DGenerator content=3D"Microsoft Word 10">
<meta name=3DOriginator content=3D"Microsoft Word 10">
<link rel=3DFile-List href=3D"cid:filelist.xml@01C2122B.C7C586E0">
<o:SmartTagType =
namespaceuri=3D"urn:schemas-microsoft-com:office:smarttags"
name=3D"PersonName"/>
<!--[if gte mso 9]><xml>
<o:OfficeDocumentSettings>
<o:DoNotRelyOnCSS/>
</o:OfficeDocumentSettings>
</xml><![endif]--><!--[if gte mso 9]><xml>
<w:WordDocument>
<w:SpellingState>Clean</w:SpellingState>
<w:GrammarState>Clean</w:GrammarState>
<w:DocumentKind>DocumentEmail</w:DocumentKind>
<w:EnvelopeVis/>
<w:Compatibility>
<w:BreakWrappedTables/>
<w:SnapToGridInCell/>
<w:WrapTextWithPunct/>
<w:UseAsianBreakRules/>
<w:UseFELayout/>
</w:Compatibility>
<w:BrowserLevel>MicrosoftInternetExplorer4</w:BrowserLevel>
</w:WordDocument>
</xml><![endif]--><!--[if !mso]>
<style>
st1\:*{behavior:url(#default#ieooui) }
</style>
<![endif]-->
<style>
<!--
/* Font Definitions */
@font-face
{font-family:SimSun;
panose-1:2 1 6 0 3 1 1 1 1 1;
mso-font-alt:\5B8B\4F53;
mso-font-charset:134;
mso-generic-font-family:auto;
mso-font-pitch:variable;
mso-font-signature:3 135135232 16 0 262145 0;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;
mso-font-charset:0;
mso-generic-font-family:swiss;
mso-font-pitch:variable;
mso-font-signature:553679495 -2147483648 8 0 66047 0;}
@font-face
{font-family:"\@SimSun";
panose-1:2 1 6 0 3 1 1 1 1 1;
mso-font-charset:134;
mso-generic-font-family:auto;
mso-font-pitch:variable;
mso-font-signature:3 135135232 16 0 262145 0;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{mso-style-parent:"";
margin:0in;
margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:12.0pt;
font-family:"Times New Roman";
mso-fareast-font-family:"Times New Roman";}
a:link, span.MsoHyperlink
{color:blue;
text-decoration:underline;
text-underline:single;}
a:visited, span.MsoHyperlinkFollowed
{color:purple;
text-decoration:underline;
text-underline:single;}
p
{mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
mso-pagination:widow-orphan;
font-size:12.0pt;
font-family:"Times New Roman";
mso-fareast-font-family:SimSun;}
code
{font-family:"Courier New";
mso-ascii-font-family:"Courier New";
mso-fareast-font-family:SimSun;
mso-hansi-font-family:"Courier New";
mso-bidi-font-family:"Courier New";}
span.EmailStyle17
{mso-style-type:personal;
mso-style-noshow:yes;
mso-ansi-font-size:10.0pt;
mso-bidi-font-size:10.0pt;
font-family:Arial;
mso-ascii-font-family:Arial;
mso-hansi-font-family:Arial;
mso-bidi-font-family:Arial;
color:windowtext;}
span.EmailStyle19
{mso-style-type:personal-reply;
mso-style-noshow:yes;
mso-ansi-font-size:10.0pt;
mso-bidi-font-size:10.0pt;
font-family:Arial;
mso-ascii-font-family:Arial;
mso-hansi-font-family:Arial;
mso-bidi-font-family:Arial;
color:navy;}
span.SpellE
{mso-style-name:"";
mso-spl-e:yes;}
span.GramE
{mso-style-name:"";
mso-gram-e:yes;}
@page Section1
{size:8.5in 11.0in;
margin:1.0in 1.25in 1.0in 1.25in;
mso-header-margin:.5in;
mso-footer-margin:.5in;
mso-paper-source:0;}
div.Section1
{page:Section1;}
-->
</style>
<!--[if gte mso 10]>
<style>
/* Style Definitions */=20
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-parent:"";
mso-padding-alt:0in 5.4pt 0in 5.4pt;
mso-para-margin:0in;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:10.0pt;
font-family:"Times New Roman";}
</style>
<![endif]-->
</head>
<body lang=3DEN-US link=3Dblue vlink=3Dpurple =
style=3D'tab-interval:.5in'>
<div class=3DSection1>
<p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span =
style=3D'font-size:
10.0pt;font-family:Arial;color:navy'>Steve,<o:p></o:p></span></font></p>
<p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span =
style=3D'font-size:
10.0pt;font-family:Arial;color:navy'><o:p> </o:p></span></font></p>
<p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span =
style=3D'font-size:
10.0pt;font-family:Arial;color:navy'>That won’t work. You are =
going to
have to use a 3<sup>rd</sup> party <span class=3DSpellE>Syslog</span> =
Server like
Kiwi <span class=3DSpellE>Syslog</span> Daemon which will do everything =
you need,
including emailing alerts, but not =
freeware.<o:p></o:p></span></font></p>
<p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span =
style=3D'font-size:
10.0pt;font-family:Arial;color:navy'><o:p> </o:p></span></font></p>
<p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span =
style=3D'font-size:
10.0pt;font-family:Arial;color:navy'>If you find anything else on the =
freeware
side, could you let me know? I have a list of people looking for a =
freeware
utility for emailing alerts on Windows.<o:p></o:p></span></font></p>
<p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span =
style=3D'font-size:
10.0pt;font-family:Arial;color:navy'><o:p> </o:p></span></font></p>
<p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span =
style=3D'font-size:
10.0pt;font-family:Arial;color:navy'><a =
href=3D"http://www.kiwisyslog.com/";>http://www.kiwisyslog.com/</a><o:p></=
o:p></span></font></p>
<div>
<p style=3D'margin-bottom:12.0pt'><font size=3D2 color=3Dnavy =
face=3D"Times New Roman"><span
style=3D'font-size:10.0pt;color:navy;mso-no-proof:yes'>-Michael<br>
--<br>
</span></font><st1:PersonName><font size=3D2 color=3Dnavy><span
style=3D'font-size:10.0pt;color:navy;mso-no-proof:yes'>Michael =
Steele</span></font></st1:PersonName><font
size=3D2 color=3Dnavy><span =
style=3D'font-size:10.0pt;color:navy;mso-no-proof:yes'> |
System Engineer / Support Technician<br>
<a =
href=3D"mailto:michaels () silicondefense com">mailto:michaels@silicondefens=
e.com</a><br>
Silicon Defense: IDS solutions - <a =
href=3D"http://www.silicondefense.com";>http://www.silicondefense.com</a><=
br>
Snort: Open Source Network IDS - <a =
href=3D"http://www.snort.org";>http://www.snort.org</a><br
style=3D'mso-special-character:line-break'>
<![if !supportLineBreakNewLine]><br =
style=3D'mso-special-character:line-break'>
<![endif]></span></font><o:p></o:p></p>
</div>
<p class=3DMsoNormal style=3D'margin-left:.5in'><font size=3D2 =
face=3DTahoma><span
style=3D'font-size:10.0pt;font-family:Tahoma;mso-fareast-font-family:SimS=
un'>-----Original
Message-----<br>
<b><span style=3D'font-weight:bold'>From:</span></b>
snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net] <b><span =
style=3D'font-weight:
bold'>On Behalf Of </span></b>Steven Williams<br>
<b><span style=3D'font-weight:bold'>Sent:</span></b> Tuesday, June 11, =
2002 8:57
PM<br>
<b><span style=3D'font-weight:bold'>To:</span></b> =
'</span></font><st1:PersonName><font
size=3D2 face=3DTahoma><span =
style=3D'font-size:10.0pt;font-family:Tahoma;
=
mso-fareast-font-family:SimSun'>snort-users () lists sourceforge net</span><=
/font></st1:PersonName><font
size=3D2 face=3DTahoma><span =
style=3D'font-size:10.0pt;font-family:Tahoma;mso-fareast-font-family:
SimSun'>'<br>
<b><span style=3D'font-weight:bold'>Subject:</span></b> [Snort-users] =
Syslog on
W2K</span></font></p>
<p class=3DMsoNormal style=3D'margin-left:.5in'><font size=3D3 =
face=3D"Times New Roman"><span
style=3D'font-size:12.0pt'><o:p> </o:p></span></font></p>
<p class=3DMsoNormal =
style=3D'margin-left:.5in;mso-layout-grid-align:none;
text-autospace:none'><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt;font-family:"Courier New"'>Hi,<o:p></o:p></span></font></p>
<p class=3DMsoNormal =
style=3D'margin-left:.5in;mso-layout-grid-align:none;
text-autospace:none'><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt;font-family:"Courier New"'><span =
style=3D'mso-spacerun:yes'> </span><o:p></o:p></span></font></p>
<p class=3DMsoNormal =
style=3D'margin-left:.5in;mso-layout-grid-align:none;
text-autospace:none'><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt;font-family:"Courier New"'>I am using snort 1.8.6 on =
W2K.<o:p></o:p></span></font></p>
<p class=3DMsoNormal =
style=3D'margin-left:.5in;mso-layout-grid-align:none;
text-autospace:none'><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt;font-family:"Courier New"'><span =
style=3D'mso-spacerun:yes'> </span><o:p></o:p></span></font></p>
<p class=3DMsoNormal =
style=3D'margin-left:.5in;mso-layout-grid-align:none;
text-autospace:none'><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt;font-family:"Courier New"'>I wish to log to the mysql database, =
but also
log to a syslog server using the commands =
below;<o:p></o:p></span></font></p>
<p class=3DMsoNormal =
style=3D'margin-left:.5in;mso-layout-grid-align:none;
text-autospace:none'><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt;font-family:"Courier New"'><span =
style=3D'mso-spacerun:yes'> </span><o:p></o:p></span></font></p>
<p class=3DMsoNormal =
style=3D'margin-left:.5in;mso-layout-grid-align:none;
text-autospace:none'><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt;font-family:"Courier New"'>output alert_syslog: LOG_AUTH =
LOG_ALERT
host=3DX.X.X.X<o:p></o:p></span></font></p>
<p class=3DMsoNormal =
style=3D'margin-left:.5in;mso-layout-grid-align:none;
text-autospace:none'><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt;font-family:"Courier New"'>output database: alert, mysql, =
user=3Dusername
dbname=3Ddatabase sensor_name=3Dsensor1 password=3Dpassword =
host=3DX.X.X.X<o:p></o:p></span></font></p>
<p class=3DMsoNormal =
style=3D'margin-left:.5in;mso-layout-grid-align:none;
text-autospace:none'><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt;font-family:"Courier New"'><span =
style=3D'mso-spacerun:yes'> </span><o:p></o:p></span></font></p>
<p class=3DMsoNormal =
style=3D'margin-left:.5in;mso-layout-grid-align:none;
text-autospace:none'><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt;font-family:"Courier New"'>When I run snort, I get a warning =
message
stating "Unrecognized syslog facility/priority: =
host=3DX.X.X.X"<o:p></o:p></span></font></p>
<p class=3DMsoNormal =
style=3D'margin-left:.5in;mso-layout-grid-align:none;
text-autospace:none'><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt;font-family:"Courier New"'><span =
style=3D'mso-spacerun:yes'> </span><o:p></o:p></span></font></p>
<p class=3DMsoNormal =
style=3D'margin-left:.5in;mso-layout-grid-align:none;
text-autospace:none'><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt;font-family:"Courier New"'>Has anyone successfully got snort to =
syslog
to a remote syslog server? If so, can you let me know how you did =
it?<o:p></o:p></span></font></p>
<p class=3DMsoNormal =
style=3D'margin-left:.5in;mso-layout-grid-align:none;
text-autospace:none'><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt;font-family:"Courier New"'><span =
style=3D'mso-spacerun:yes'> </span><o:p></o:p></span></font></p>
<p class=3DMsoNormal =
style=3D'margin-left:.5in;mso-layout-grid-align:none;
text-autospace:none'><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt;font-family:"Courier New"'>Also, has anyone got anything like =
Swatch on
a W32 machine to report from Syslog Files?<o:p></o:p></span></font></p>
<p class=3DMsoNormal =
style=3D'margin-left:.5in;mso-layout-grid-align:none;
text-autospace:none'><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt;font-family:"Courier New"'><span =
style=3D'mso-spacerun:yes'> </span><o:p></o:p></span></font></p>
<p class=3DMsoNormal =
style=3D'margin-left:.5in;mso-layout-grid-align:none;
text-autospace:none'><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt;font-family:"Courier New"'>Thanks<o:p></o:p></span></font></p>
<p class=3DMsoNormal =
style=3D'margin-left:.5in;mso-layout-grid-align:none;
text-autospace:none'><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt;font-family:"Courier New"'><span =
style=3D'mso-spacerun:yes'> </span><o:p></o:p></span></font></p>
<p class=3DMsoNormal =
style=3D'margin-left:.5in;mso-layout-grid-align:none;
text-autospace:none'><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt;font-family:"Courier New"'>Steve<o:p></o:p></span></font></p>
<p class=3DMsoNormal style=3D'margin-left:.5in'><font size=3D2 =
face=3DArial><span
style=3D'font-size:10.0pt;font-family:Arial'><o:p> </o:p></span></fo=
nt></p>
<p class=3DMsoNormal style=3D'margin-left:.5in'><font size=3D2 =
face=3DArial><span
style=3D'font-size:10.0pt;font-family:Arial'><o:p> </o:p></span></fo=
nt></p>
<p class=3DMsoNormal style=3D'margin-left:.5in'><b><font size=3D2 =
color=3Dpurple
face=3DArial><span =
style=3D'font-size:10.0pt;font-family:Arial;color:purple;
font-weight:bold;mso-no-proof:yes'>Steve Williams</span></font></b><span
style=3D'mso-no-proof:yes'><o:p></o:p></span></p>
<p class=3DMsoNormal style=3D'margin-left:.5in'><font size=3D2 =
color=3Dpurple
face=3DArial><span =
style=3D'font-size:10.0pt;font-family:Arial;color:purple;
mso-no-proof:yes'>Communications </span></font><st1:PersonName><font =
size=3D2
color=3Dpurple face=3DArial><span =
style=3D'font-size:10.0pt;font-family:Arial;
=
color:purple;mso-no-proof:yes'>Support</span></font></st1:PersonName><fon=
t
size=3D2 color=3Dpurple face=3DArial><span =
style=3D'font-size:10.0pt;font-family:Arial;
color:purple;mso-no-proof:yes'> Engineer</span></font><span =
style=3D'mso-no-proof:
yes'><o:p></o:p></span></p>
<p class=3DMsoNormal style=3D'margin-left:.5in'><font size=3D2 =
color=3Dpurple
face=3DArial><span =
style=3D'font-size:10.0pt;font-family:Arial;color:purple;
mso-no-proof:yes'>Computershare Technology Services</span></font><span
style=3D'mso-no-proof:yes'><o:p></o:p></span></p>
<p class=3DMsoNormal style=3D'margin-left:.5in'><font size=3D3 =
face=3D"Times New Roman"><span
style=3D'font-size:12.0pt;mso-no-proof:yes'> <o:p></o:p></span></fon=
t></p>
<p class=3DMsoNormal style=3D'margin-left:.5in'><font size=3D2 =
color=3Dpurple
face=3DArial><span =
style=3D'font-size:10.0pt;font-family:Arial;color:purple;
mso-no-proof:yes'>PH +61 3 92355651</span></font><span =
style=3D'mso-no-proof:
yes'><o:p></o:p></span></p>
<p class=3DMsoNormal style=3D'margin-left:.5in'><font size=3D2 =
color=3Dpurple
face=3DArial><span =
style=3D'font-size:10.0pt;font-family:Arial;color:purple;
mso-no-proof:yes'>FAX +61 3 94732409</span></font><span =
style=3D'mso-no-proof:
yes'><o:p></o:p></span></p>
<p class=3DMsoNormal style=3D'margin-left:.5in'><font size=3D2 =
face=3DArial><span
style=3D'font-size:10.0pt;font-family:Arial;mso-no-proof:yes'><a
href=3D"http://www.computershare.com";>www.computershare.com</a></span></f=
ont><o:p></o:p></p>
<p class=3DMsoNormal style=3D'margin-left:.5in'><font size=3D3 =
face=3D"Times New Roman"><span
style=3D'font-size:12.0pt'><o:p> </o:p></span></font></p>
<p class=3DMsoNormal style=3D'margin-left:.5in'><font size=3D3 =
face=3D"Courier New"><span
style=3D'font-size:12.0pt;font-family:"Courier =
New";mso-fareast-font-family:SimSun'><br>
<br>
<code><font face=3D"Courier New"><span =
style=3D'mso-ansi-font-size:12.0pt;
mso-bidi-font-size:12.0pt'>---</span></font></code><br>
<code><font face=3D"Courier New"><span =
style=3D'mso-ansi-font-size:12.0pt;
mso-bidi-font-size:12.0pt'>This email and any files transmitted with it =
are
solely intended for the use of the</span></font></code><br>
<code><font face=3D"Courier New"><span =
style=3D'mso-ansi-font-size:12.0pt;
mso-bidi-font-size:12.0pt'>addressee(s) and may contain information that =
is
confidential and privileged. If you</span></font></code><br>
<code><font face=3D"Courier New"><span =
style=3D'mso-ansi-font-size:12.0pt;
mso-bidi-font-size:12.0pt'>receive this email in error, please advise us =
by
return email immediately. Please also</span></font></code><br>
<code><font face=3D"Courier New"><span =
style=3D'mso-ansi-font-size:12.0pt;
mso-bidi-font-size:12.0pt'>disregard the contents of the email, delete =
it and
destroy any copies immediately.</span></font></code><br>
<code><font face=3D"Courier New"><span =
style=3D'mso-ansi-font-size:12.0pt;
mso-bidi-font-size:12.0pt'>Computershare Limited and its subsidiaries do =
not
accept liability for the views</span></font></code><br>
<code><font face=3D"Courier New"><span =
style=3D'mso-ansi-font-size:12.0pt;
mso-bidi-font-size:12.0pt'>expressed in the email or for the =
consequences of
any computer viruses that may be</span></font></code><br>
<code><font face=3D"Courier New"><span =
style=3D'mso-ansi-font-size:12.0pt;
mso-bidi-font-size:12.0pt'>transmitted with this =
email</span></font></code><br>
<br>
<code><font face=3D"Courier New"><span =
style=3D'mso-ansi-font-size:12.0pt;
mso-bidi-font-size:12.0pt'>This email is also subject to copyright. No =
part of
it should be reproduced, adapted or </span></font></code><br>
<code><font face=3D"Courier New"><span =
style=3D'mso-ansi-font-size:12.0pt;
mso-bidi-font-size:12.0pt'>transmitted without the written consent of =
the
copyright owner.</span></font></code></span></font><span =
style=3D'mso-fareast-font-family:
SimSun'><o:p></o:p></span></p>
</div>
</body>
</html>
------=_NextPart_000_0001_01C2122B.C8A49C40--
--__--__--
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-users
End of Snort-users Digest
_______________________________________________________________
Sponsored by:
ThinkGeek at http://www.ThinkGeek.com/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- RE: Snort-users digest, Vol 1 #1962 - 13 msgs Jessup, Justin (Jun 12)