OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: John Sage (jsagefinchhaven.com)
Date: Tue Dec 04 2001 - 10:34:58 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Raymond:

    Raymond Jacob wrote:

    > From: John Sage <jsageadsfasdf.com>
    > CC: snort-userslists.sourceforge.net
    > Subject: Re: [Snort-users] can snort decode syslog traffic and feed that
    > traffic into logsnorter
    > Date: Mon, 03 Dec 2001 19:06:11 -0800
    >
    > Raymond:
    >
    > I don't believe this is refering to syslog traffic *within* one box,
    > rather I think the idea is that snort can sniff syslog traffic going
    > from one host to another (if they are set up that way...), or from
    > several hosts to a central logserver...
    > ++ That was my understanding too. I am sorry that was
    > ++ not clear in my email.

    Just wanted to make sure *I* knew what you were talking about ;-)

    > Does that make any sense?
    > ++ Yes that does.
    > snort can output to syslog on the snort box, here's what I use:
    > ++ I must not have been very clear in my original email.
    > ++ So I will try again. As the article I mentioned says:
    > ++ you can use a packet capture tool to do stealth logging
    > ++ of syslog messages sent from a host or a router.
    > ++ I thought in order to do this there would exist a
    > ++ filter that could capture the syslog traffic from the
    > ++ the network and output that traffic to a log file that
    > ++ logsnorter could use as input to an ids console that
    > ++ would corelate events from your router, host, or firewall.

    I'm not aware of a plugin, others may step forward on that..

    However, from /etc/services:

    syslog 514/udp

    See man syslogd regarding the -r switch for remote logging; I'd be
    inclined to roll my own...

    HTH..

    - John

    > ++ For example: As a Network Security person if I saw a alot
    > ++ nimda activity. I would like to know that my router is
    > ++ blocking the majority of the traffic. If a user has
    > ++ deployed a new application or DNS or MTA, and has not
    > ++ recieved approval then I will know about it a week or
    > ++ two before instead of Friday at 3:00pm ;-).
    > ++ Lastly, you only have eight[0-7] local facilities in syslog.
    > ++ With a stealth logger theoretically since I would be
    > ++ logging based on ip addresses I could log activity from
    > ++ more than eight devices on server in my DMZ, trusted network,
    > ++ untrusted network. I hope that clarifies what I am looking
    > ++ to do.
    > ++
    > ++ Respectfully,
    > ++ Raymond
    > ++ My question is does such a filter exist?
    > ++ I have not read my daily digest yet so the answer may
    > ++ already be there.
    > # output alert_syslog: LOG_AUTH LOG_ALERT
    > output alert_syslog: LOG_DAEMON LOG_ALERT
    > # as from RELEASE
    >
    >
    > As to "logsnorter", I know not...
    >
    > HTH..
    >
    > - John
    >

    _______________________________________________
    Snort-users mailing list
    Snort-userslists.sourceforge.net
    Go to this URL to change user options or unsubscribe:
    https://lists.sourceforge.net/lists/listinfo/snort-users
    Snort-users list archive:
    http://www.geocrawler.com/redir-sf.php3?list=snort-users