[Snort-users] Win32 port and Syslog

Michael Davis mike at ...92...
Mon Nov 20 21:35:01 EST 2000


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I will add a syslog option to the win32 port and I will keep the
event log option as well. I will try to get this done ASAP and roll
out the official win32-patch2 but I just started my new job at 3com
and have a lot of work to do.

Michael Davis
Chief Technical Officer
Data Nerds, LLC.
http://www.datanerds.net

- ----- Original Message ----- 
From: "Brent Erickson" <erickson at ...239...>
To: "Michael Davis" <mike at ...92...>
Sent: Monday, November 20, 2000 12:58 PM
Subject: Re: [Snort-users] Win32 port and Syslog


> Hi Mike,
> 
> Please don't remove the event log option. If you ever add syslog
> please keep logging to the event log as an option.
> 
> I use an event log monitor program that dynamically e-mails me all
> snort alerts and it works great. So I am happy with NT event
> logging. But I certainly can see Frank's point about the syslog.
> 
> Brent Erickson
> 
> ----- Original Message -----
> From: "Michael Davis" <mike at ...92...>
> To: "Frank Knobbe" <FKnobbe at ...652...>
> Cc: "Snort Users" <snort-users at lists.sourceforge.net>
> Sent: Saturday, November 18, 2000 8:54 PM
> Subject: Re: [Snort-users] Win32 port and Syslog
> 
> 
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> > Getting the win32 port to log to a syslog server is not that
> > simple. I personally have never written anything to interact with
> > a syslog server remotely so I do not know how the protocol works.
> > I do know however that there are tons of programs on the net that
> > will take your Event Log and send it to a remote syslog server
> > every time their is a write to the event log(effectively
> > forwarded all data to the syslog server). There is even an open
> > source
> > one(http://www.sabernet.net/ I believe). You could modify it to
> > only look for snort generated logs and forward them and you would
> > be set. 
> >
> > I am not against removing the Event Log option but you are the
> > first person to ask to do so :)
> >
> > Michael Davis
> > Chief Technical Officer
> > Data Nerds, LLC.
> > http://www.datanerds.net
> >
> > - ----- Original Message -----
> > From: "Frank Knobbe" <FKnobbe at ...652...>
> > To: <snort-users at lists.sourceforge.net>
> > Sent: Saturday, November 18, 2000 5:52 PM
> > Subject: [Snort-users] Win32 port and Syslog
> >
> >
> > > -----BEGIN PGP SIGNED MESSAGE-----
> > > Hash: SHA1
> > >
> > > Greetings,
> > >
> > > I wanted to make a recommendation to Snort here in the this
> > > list in hopes to gather some support :)
> > >
> > > I'm running the Win32 port of Snort and am pretty happy with
> > > it. I have a script running that monitors the log file, and
> > > depending on the event logged, it will reconfigure my firewall
> > > to block the offender (Snort is running as an Attack Detection
> > > System outside the firewall. Please don't start a thread on
> > > that, we just had that in another list :)
> > >
> > > Anyway, what I would really like is the ability to send Syslog
> > > messages. Unfortunately the Win32 port does not do that,
> > > instead it logs to the EventLog. Can't this be made an option?
> > > I think the user should be given the choice to log to the
> > > EventLog or to send a Syslog packet to a Syslog server. Marty,
> > > is that something you can add in the next version please?
> > >
> > > Sending a Syslog packet would help greatly in automating events
> > > since a script can watch for and receive Syslog packets, and
> > > then trigger an action. This mechanism would be quicker than
> > > monitoring the log file. Any supporters for the optional Syslog
> > > under Win32? 
> > >
> > > Regards,
> > > Frank
> > >
> > >
> > > -----BEGIN PGP SIGNATURE-----
> > > Version: PGP Personal Privacy 6.5.1
> > > Comment: PGP or S/MIME encrypted email preferred.
> > >
> > > iQA/AwUBOhcWWERKym0LjhFcEQIF5gCgqRRQPu28ckQurcaATF2zAA0h7aQAniPB
> > > +7hMn8TcqW0m99wHMb5Jm8o7
> > > =FVEY
> > > -----END PGP SIGNATURE-----
> > > _______________________________________________
> > > Snort-users mailing list
> > > Snort-users at lists.sourceforge.net
> > > http://lists.sourceforge.net/mailman/listinfo/snort-users
> >
> > -----BEGIN PGP SIGNATURE-----
> > Version: PGPfreeware 6.5.8 for non-commercial use
> > <http://www.pgp.com> 
> >
> > iQA/AwUBOhdc5viUqZ9dnoKsEQLSZgCg92uYGA5AqL2FrezzyiqkMQJzS7QAnA2W
> > bVqpXgUvoylhkI1W/7UwfJF+
> > =r2bs
> > -----END PGP SIGNATURE-----
> >
> >
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > http://lists.sourceforge.net/mailman/listinfo/snort-users
> >
> 

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com>

iQA/AwUBOhnfU/iUqZ9dnoKsEQJi3ACdGRvqY2EfZcUaf4OZqnC/QAWX94kAoM5k
UKzMxKqDsfIyo3cYN/V/XYOX
=ponH
-----END PGP SIGNATURE-----





More information about the Snort-users mailing list