Snort mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Snort Syslog Alerts on Win32

From: "L. Christopher Luther" <CLuther () Xybernaut com>
Date: Sat, 4 Jan 2003 16:51:36 -0500
Up front, everyone, please forgive the rant I'm about to do...  

Since I did not see an immediate way for Snort to send syslog alerts to a
remote syslog daemon, I went so far as to install a local syslog daemon on
my WinNT4 Snort box just so I could "see" what type of data was being sent
to syslog from Snort.  I figured that if the Snort syslog output was
sufficient for my needs, I'd configure the local syslog daemon to forward
all messages to my main syslog server.  

Well, much to my surprise, Snort did not send *any* data to the local syslog
daemon.  So, I snatched the Snort 1.8.6 tar ball archive from the Snort web
site and looked at the source.  Who would have thought that the alert_syslog
functionality under Win32 would be sending data to the local Event Log!!!  

Evidently, somewhere along the Snort development line, decisions were made
to have Snort's alert_syslog functionality under Win32 send messages to the
Event Log.  Why?!  Who knows.  I figured that syslog meant syslog.  If
someone wanted Event Log functionality, then there would be an
alert_eventlog output plug-in.  Arghhhhh.... 

I run a mixed Wintel/*nix environment and having a syslog daemon around
isn't an issue.  The issue now is that Snort under Win32 does *not* send
data to a syslog daemon -- either local or remote -- but only to the local
Event Log.  

Enough of my rant.  I've got Win32 code around that shows how to send
messages to a syslog daemon, and the daemon does not have to be local; it
can be remote.  But I don't want to be in the business of modifying the
Snort source code every time a new Snort version is released.  Oh well...  

I guess that I'm off to pursue other means for handling/logging Snort alerts
under Win32.  

Regards...  


-----Original Message-----
From: Bob McDowell [mailto:bmcdowell () coxhealthplans com]
Sent: Friday, January 03, 2003 6:44 PM
To: 'L. Christopher Luther'
Subject: RE: [Snort-users] Snort Syslog Alerts on Win32
Sensitivity: Confidential


Do you mean that Snort sends those syslog messages directly?  That's kinda
cool.  I was under the impression that you have to get some sort of syslog
client and put it on the snort box.  In Linux, syslog reads syslog.conf, and
you can specify what alerts go where.  Snort passes its alerts into syslog
for processing.  If you were to get something like Monilog, you could
transmit the snort log files themselves via SETP or syslog, for example.


-----Original Message-----
From: L. Christopher Luther [mailto:CLuther () Xybernaut com]
Sent: Friday, January 03, 2003 5:29 PM
To: 'bmcdowell () coxhealthplans com'
Cc: Snort-Users (E-mail)
Subject: RE: [Snort-users] Snort Syslog Alerts on Win32
Sensitivity: Confidential


Unfortunately, there is no syslog daemon on the WinNT4 Snort box -- only on
the other server.  :{  I was hoping that like Cisco and other network
devices I could direct the syslog messages from Snort to another server.  

Christopher 


-----Original Message----- 
From: Bob McDowell [mailto:bmcdowell () coxhealthplans com] 
Sent: Friday, January 03, 2003 6:27 PM 
To: 'L. Christopher Luther' 
Subject: RE: [Snort-users] Snort Syslog Alerts on Win32 
Sensitivity: Confidential 


I think you'd need to do this in your syslog daemon.  You can make it easy
on yourself by making snort log to 'Local1' if you'd like.


-----Original Message----- 
From: L. Christopher Luther [mailto:cluther () xybernaut com] 
Sent: Friday, January 03, 2003 5:02 PM 
To: Snort-Users (E-mail) 
Subject: [Snort-users] Snort Syslog Alerts on Win32 
Sensitivity: Confidential 


-----BEGIN PGP SIGNED MESSAGE----- 
Hash: SHA1 

I would like to configure Snort (version 1.8.6 running on a WinNT4 
box) to send Snort alerts to a syslog server on another WinNT4 box. 
The "output alert_syslog" is pretty straight forward, accept I am not 
sure of how to direct output this to another host???  The docs I have 
do not specify any "host=" option.  


Sincerely,  
L. Christopher Luther  
Technical Consultant  
Xybernaut Solutions, Inc.  
(703) 654-3642  
cluther () xybernaut com  
http://www.xybernautsolutions.com  

My PGP Public Key:  
http://keyserver.pgp.com/pks/lookup?op=get&search=0x21261B88 

CONFIDENTIALITY NOTE:  This communication contains 
information that is confidential and/or legally privileged.  
This information is intended only for the use of the individual 
or entity named on this communication. If you are not the 
intended recipient, you are hereby notified that any disclosure, 
copying, distribution, printing or other use of, or any action 
in reliance on, the contents of this communication is strictly 
prohibited.  If you receive this communication in error, please 
immediately notify us by telephone at (703) 631-6925. 

============================================================ 
Unsolicited commercial e-mail will automatically be reported 
to the appropriate abuse@ - without exception. 
============================================================ 


-----BEGIN PGP SIGNATURE----- 
Version: PGP 7.1.2 
iQA/AwUBPhYWg6u/XM0hJhuIEQJp9QCg8SFUXSb7yrpOG0Rv+gLvRlpn4gkAnj8H 
la4Z8Pko+5h79KaeMlghIOMX 
=1T7j 
-----END PGP SIGNATURE-----
Previous By Date Next
Previous By Thread Next

Current thread: