[Snort-users] RE: Snort-users digest, Vol 1 #1962 - 13 msgs

Jessup, Justin Justin.Jessup at ...194...
Wed Jun 12 16:52:02 EDT 2002


answer to #1
go to
vi snort.conf
go to the output data section
where you input username= password= host= # add sensor_name=falcon
you need to assign a sensor name
add 
sensor_name=condor  #or whatever you want your sensor to be named
also make sure your database permissions allow your user=snort
to connect as either the IP address of the remote mysql server
or if mysql server is localhost
make sure the database permissions are allow user=snort
to have full control rwx to the snort_log database or whatever you named your databases
 
respectfully,
justin jessup

-----Original Message-----
From:
/DDV=snort-users-request at lists.sourceforge.net/DDT=RFC-822/O=INETGW/P=GO
V+DOJ/A=TELEMAIL/C=US/
[mailto:/DDV=snort-users-request at lists.sourceforge.net/DDT=RFC-822/O=INE
TGW/P=GOV+DOJ/A=TELEMAIL/C=US/]
Sent: Wednesday, June 12, 2002 7:11 PM
To: snort-users at lists.sourceforge.net
Subject: Snort-users digest, Vol 1 #1962 - 13 msgs
Importance: Low


Send Snort-users mailing list submissions to
	snort-users at lists.sourceforge.net

To subscribe or unsubscribe via the World Wide Web, visit
	https://lists.sourceforge.net/lists/listinfo/snort-users
or, via email, send a message with subject or body 'help' to
	snort-users-request at lists.sourceforge.net

You can reach the person managing the list at
	snort-users-admin at lists.sourceforge.net

When replying, please edit your Subject line so it is more specific
than "Re: Contents of Snort-users digest..."


Today's Topics:

   1. Re: snort with mysql and acid (roman at ...438...)
   2. (no subject) (Richard Houston)
   3. Re: Detecting concurrent connections (matt)
   4. Re: (no subject) (Erek Adams)
   5. Configuration HELP! (Jason Martin)
   6. Dies (Bravard, Paul)
   7. Re: Configuration HELP! (understanding alerts
       and proxies) (matt)
   8. : [Snort-users] Configuration HELP! (understanding alerts and pro
       xies) (Jason Martin)
   9. Re: : [Snort-users] Configuration HELP! (understanding alerts
       and proxies) (Matt Kettler)
  10. RE: Syslog on W2K (Michael Steele)

--__--__--

Message: 1
To: C White <cwhite at ...6062...>
Cc: snort-users at lists.sourceforge.net
From: roman at ...438...
Subject: Re: [Snort-users] snort with mysql and acid
Date: Wed, 12 Jun 2002 15:10:07 EDT

Take a look at the suggestions in Question #B1 of the database FAQ:

http://www.andrew.cmu.edu/~rdanyliw/snort/snortdb/snortdb_faq.html

Roman

> i have snort up and running, however i want it to log to a mysql db, it 
> looks like i've configured everything properly, the database plugin has 
> been configured, and it still insists on logging everything to a text file
> 
> when i run snort from the console everything appears fine except for the 
> fact that it is logging to a text file
> 
> this is what i get when i run it on the console
> 
> database: compiled support for ( mysql )
> database: configured to use mysql
> database:          user = snort
> database: password is set
> database: database name = snort
> database:          host =
> database:   sensor name =
> database:     sensor id = 1
> database: schema version = 105
> database: using the "log" facility
> 
> am i missing something in the snort.conf file
> 
> any help will be greatly appreciated
> 
> many thanks
> 
> 
> _______________________________________________________________
> 
> Sponsored by:
> ThinkGeek at http://www.ThinkGeek.com/
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 
> 



---------------------------------------------
This message was sent using Voicenet WebMail.
      http://www.voicenet.com/webmail/




--__--__--

Message: 2
Date: Wed, 12 Jun 2002 13:27:03 +0500 (CDT)
From: "Richard Houston" <rhouston at ...6063...>
To: <snort-users at lists.sourceforge.net>
Subject: [Snort-users] (no subject)

Hello all,

I need some help with setting up snort as a NIDS.

I have version 1.8.3 installed on a RH 6.2 machine attached to 2 stacked
3com hubs. If I port scan the snort host I get lots of log messages
related to the  port scan, I all so use typhon to scan the snort host with
a selection of exploits Scan and all seems fine.  I have all messages
going to syslog.
Now here is the issue. If I scan a host other than the snort host, snort
does not log anything.
Here is the command I used to start snort.
/usr/sbin/snort -dev -h 10.1.1.0/24 -l /var/log/snort -d -D -i eth0 -c
/etc/snort/snort.conf
Here is the out put of ifconfig:
eth0      Link encap:Ethernet  HWaddr 00:60:97:AE:0C:05
          inet addr:10.1.1.2  Bcast:10.1.1.255  Mask:255.255.255.0
          UP BROADCAST RUNNING PROMISC MULTICAST  MTU:1500  Metric:1
          RX packets:19415209 errors:248 dropped:0 overruns:0 frame:248
          TX packets:439766 errors:0 dropped:0 overruns:0 carrier:0
          collisions:19226 txqueuelen:100
          Interrupt:10 Base address:0x300

Any help would be greatly appreciated.



--
Thanks in advance

Rich




-----------------------------------------
This email was sent using SquirrelMail.
   "Webmail for nuts!"
http://squirrelmail.org/




--__--__--

Message: 3
Date: Wed, 12 Jun 2002 15:43:02 -0400
To: Renato =?iso-8859-1?Q?Ara=FAjo?= <renato at ...6058...>,
   snort-users at lists.sourceforge.net
From: matt <mkettler at ...4108...>
Subject: Re: [Snort-users] Detecting concurrent connections

Agreed, snort is not stateful in this respect.

Currently I'd see that this is the kind of thing that really has 2=20
solutions outside of using snort:

1) I'd suspect that it is possible for some stateful firewalls to implement=
=20
connect rate limiting (since they have to track connection states anyway).=
=20
This would really only slow them down unless it had some kind of "if they=20
try to exceed this threshold, shun that IP for an extended period of time"

2) It might be possible to set up some kind of perl-script log watcher that=
=20
looks for a large number of "user unknown" errors being generated from the=
=20
same originating IP and just add that IP to your /etc/mail/access file (or=
=20
whatever similar blocking file your mailserver uses).

Simultaneous state and time based analysis isn't really much the domain of=
=20
the current version of snort, which is really looking for intrusion=20
signatures, portscans (large number of different ports over time), and=20
anomolous syn packets. There are some stateful aspects, and some time=20
aspects, but none that analyze state and time currently.

There's been some talk in the past of modifying spp_portscan to create a=20
spp_synflood (looking for a large number of syn connections to the same=20
port in a given time window), but this doesn't really determine how many of=
=20
these connections are concurrent. Dig in the archives, someone once posted=
=20
a small patch to get that effect.



At 12:03 PM 6/12/2002 -0300, Renato Ara=FAjo wrote:
>I want to configure snort rule to detect if there is a a number of
>concurrent conections to a server. Example, I want snort to detect if
>anyone has 15 or more conections simultaneously established to my
>smtp server.
>Anyone knows if this is possible. I need this because someone used
>a program that send tons of emails to my server to discover valid
>emails. I solved the problem by blocking the IP with iptables, but I'm
>
>looking for a automated solution.
>
>
>
>Atenciosamente (sincerely),
>
>Renato Ara=FAjo
>---------------------------------------------
>Unix _IS_ user friendly - it`s just selective about who its friends are !
>
>
>_______________________________________________________________
>
>Sponsored by:
>ThinkGeek at http://www.ThinkGeek.com/
>_______________________________________________
>Snort-users mailing list
>Snort-users at lists.sourceforge.net
>Go to this URL to change user options or unsubscribe:
>https://lists.sourceforge.net/lists/listinfo/snort-users
>Snort-users list archive:
>http://www.geocrawler.com/redir-sf.php3?list=3Dsnort-users



--__--__--

Message: 4
Date: Wed, 12 Jun 2002 13:01:27 -0700 (PDT)
From: Erek Adams <erek at ...577...>
To: Richard Houston <rhouston at ...6063...>
cc: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] (no subject)

On Wed, 12 Jun 2002, Richard Houston wrote:

> I need some help with setting up snort as a NIDS.
>
> I have version 1.8.3 installed on a RH 6.2 machine attached to 2 stacked

Consider upgrading.  1.8.6 is the most current, with 1.8.7beta6 in the works.
There are lots of little 'gotchas' that were fixed in the 1.8.x line.

> 3com hubs. If I port scan the snort host I get lots of log messages
> related to the  port scan, I all so use typhon to scan the snort host with
> a selection of exploits Scan and all seems fine.  I have all messages
> going to syslog.
> Now here is the issue. If I scan a host other than the snort host, snort
> does not log anything.

Yep.  Sounds just like:

	http://www.snort.org/docs/faq.html#6.21


> Here is the command I used to start snort.
> /usr/sbin/snort -dev -h 10.1.1.0/24 -l /var/log/snort -d -D -i eth0 -c
> /etc/snort/snort.conf

If you're running snort as a daemon, then you don't need '-d, -v, -e, and -d'.
-ved tells snort to write to STDOUT and to decode the packts on the fly.  -D
uncouples snort from STDOUT, but due to the other switches, snort is still
trying to decode and print those things--wasting CPU.

[...snip...]

You might also want to check what $HOME_NET and $EXTERNAL_NET are set to.  I
would suggest:
	var HOME_NET 10.1.1.0/24
	var EXTERNAL_NET !$HOME_NET
as a starting point--If they aren't like that already.

Oh, and try to give us a subject line next time.  Somefolks sort email based
on subjects....  And that's the common subject sent to /dev/null.  ;-)

Cheers!

-----
Erek Adams
Nifty-Type-Guy
TheAdamsFamily.Net



--__--__--

Message: 5
From: Jason Martin <jmartin at ...6065...>
To: snort-users at lists.sourceforge.net
Date: Wed, 12 Jun 2002 10:18:25 -1000
Subject: [Snort-users] Configuration HELP!

Hello:

Configuration:  Snort WIN32 1.8 port on a Win2k Pro.


Running snort from the command line:

Snort -dev -c snort.conf

Below is a snippet of my config file.

I tried to set my variables so that only my PC would be considered "home"
and snort would treat all other packets as being external.  However, Snort
is not logging IDS alerts except for activity from my machine (var
HOME_NET).  If I scan Snort machine from a test machine it detects nothing.
As soon as I scan the test machine with my Snort machine, Snort lights up.
To alleviate this problem I placed my IP address in the preprocessor
portscan-ignorehosts section, that didn't work either.  It is still alarming
off of traffic sent from my PC.

I must have mis-configured something and was hoping someone could shed some
light on the situation.

I've also noticed that any trigger events that do happen to be logged, all
show traffic flow coming from my machine.

**] [1:615:3] SCAN SOCKS Proxy attempt [**]
[Classification: Attempted Information Leak] [Priority: 2]
06/10-11:40:24.538093 x.x.x.243:1282 -> x.x.x.77:1080
TCP TTL:128 TOS:0x0 ID:22013 IpLen:20 DgmLen:48 DF
******S* Seq: 0xDA7C045C  Ack: 0x0  Win: 0x4000  TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK 
[Xref => http://help.undernet.org/proxyscan/
<http://help.undernet.org/proxyscan/> ]

The x.x.x.77 machine is the machine that was scanning me, but the traffic
flow shows my machine responding to the proxy scan, it did not create an
event showing a scan coming from the scanning machine. When I look at this,
it makes me think I was scanning x.x.x.77. Or, am I just misunderstanding
the log?

Thanks in advance for any help.

~Jason



===========================
var HOME_NET x.x.x.243/32

var EXTERNAL_NET any

var SMTP $HOME_NET

var HTTP_SERVERS $HOME_NET

var SQL_SERVERS $HOME_NET
 
var DNS_SERVERS $HOME_NET

var RULE_PATH /rules

preprocessor frag2
preprocessor stream4: detect_scans
preprocessor stream4_reassemble
preprocessor http_decode: 80 -unicode -cginull
preprocessor rpc_decode: 111 32771
preprocessor bo: -nobrute
preprocessor telnet_decode
preprocessor portscan: $EXTERNAL_NET 2 1 portscan.log
preprocessor portscan-ignorehosts: $HOME_NET






Confidentiality Notice: 
This email message, including any attachments, is for the sole use of 
the intended recipient(s) and may contain confidential and privileged 
information.  Any unauthorized review, use, disclosure, or distribution 
is prohibited.  If you are not the intended recipient, please contact
the sender by reply e-mail and destroy all copies of the original message. 




--__--__--

Message: 6
From: "Bravard, Paul" <PBravard at ...6067...>
To: snort-users at lists.sourceforge.net
Date: Wed, 12 Jun 2002 15:38:40 -0500
Subject: [Snort-users] Dies

MY Snort running with mysql keeps dieing. Anyone have a good tool to monitor
status of Snort?


--__--__--

Message: 7
Date: Wed, 12 Jun 2002 17:08:11 -0400
To: Jason Martin <jmartin at ...6065...>, snort-users at lists.sourceforge.net
From: matt <mkettler at ...4108...>
Subject: Re: [Snort-users] Configuration HELP! (understanding alerts
  and proxies)

This indicates that the machine xx.xx.xx.243 contacted (or attempted to at 
least) a socks proxy server on the xx.xx.xx.77 machine.

THIS COULD BE NORMAL.

If your network is set up such that you use a proxy server for your 
internet connection.. well.. then yes.. you've detected something normal. 
This kind of connection is generally only of concern when someone outside 
your network tries to connect to a proxy server inside it.

Correct your definition of HOME_NET to only include machines under your 
control, and exclude those owned by your ISP to prevent such false alarms. 
Or configure EXTERNAL_NET to be !$HOME_NET instead of any.





At 10:18 AM 6/12/2002 -1000, Jason Martin wrote:
>Hello:
>
>Configuration:  Snort WIN32 1.8 port on a Win2k Pro.
>
>
>Running snort from the command line:
>
>Snort -dev -c snort.conf
>
>Below is a snippet of my config file.
>
>I tried to set my variables so that only my PC would be considered "home"
>and snort would treat all other packets as being external.  However, Snort
>is not logging IDS alerts except for activity from my machine (var
>HOME_NET).  If I scan Snort machine from a test machine it detects nothing.
>As soon as I scan the test machine with my Snort machine, Snort lights up.
>To alleviate this problem I placed my IP address in the preprocessor
>portscan-ignorehosts section, that didn't work either.  It is still alarming
>off of traffic sent from my PC.
>
>I must have mis-configured something and was hoping someone could shed some
>light on the situation.
>
>I've also noticed that any trigger events that do happen to be logged, all
>show traffic flow coming from my machine.
>
>**] [1:615:3] SCAN SOCKS Proxy attempt [**]
>[Classification: Attempted Information Leak] [Priority: 2]
>06/10-11:40:24.538093 x.x.x.243:1282 -> x.x.x.77:1080
>TCP TTL:128 TOS:0x0 ID:22013 IpLen:20 DgmLen:48 DF
>******S* Seq: 0xDA7C045C  Ack: 0x0  Win: 0x4000  TcpLen: 28
>TCP Options (4) => MSS: 1460 NOP NOP SackOK
>[Xref => http://help.undernet.org/proxyscan/
><http://help.undernet.org/proxyscan/> ]
>
>The x.x.x.77 machine is the machine that was scanning me, but the traffic
>flow shows my machine responding to the proxy scan, it did not create an
>event showing a scan coming from the scanning machine. When I look at this,
>it makes me think I was scanning x.x.x.77. Or, am I just misunderstanding
>the log?
>
>Thanks in advance for any help.
>
>~Jason
>
>
>
>===========================
>var HOME_NET x.x.x.243/32
>
>var EXTERNAL_NET any
>
>var SMTP $HOME_NET
>
>var HTTP_SERVERS $HOME_NET
>
>var SQL_SERVERS $HOME_NET
>
>var DNS_SERVERS $HOME_NET
>
>var RULE_PATH /rules
>
>preprocessor frag2
>preprocessor stream4: detect_scans
>preprocessor stream4_reassemble
>preprocessor http_decode: 80 -unicode -cginull
>preprocessor rpc_decode: 111 32771
>preprocessor bo: -nobrute
>preprocessor telnet_decode
>preprocessor portscan: $EXTERNAL_NET 2 1 portscan.log
>preprocessor portscan-ignorehosts: $HOME_NET
>
>
>
>
>
>
>Confidentiality Notice:
>This email message, including any attachments, is for the sole use of
>the intended recipient(s) and may contain confidential and privileged
>information.  Any unauthorized review, use, disclosure, or distribution
>is prohibited.  If you are not the intended recipient, please contact
>the sender by reply e-mail and destroy all copies of the original message.
>
>
>
>_______________________________________________________________
>
>Sponsored by:
>ThinkGeek at http://www.ThinkGeek.com/
>_______________________________________________
>Snort-users mailing list
>Snort-users at lists.sourceforge.net
>Go to this URL to change user options or unsubscribe:
>https://lists.sourceforge.net/lists/listinfo/snort-users
>Snort-users list archive:
>http://www.geocrawler.com/redir-sf.php3?list=snort-users



--__--__--

Message: 8
From: Jason Martin <jmartin at ...6065...>
To: "SNORT LIST (E-mail)" <snort-users at lists.sourceforge.net>
Subject: : [Snort-users] Configuration HELP! (understanding alerts and pro
	xies)
Date: Wed, 12 Jun 2002 11:51:13 -1000

Let me follow-up on this before I get similar responses. I don't think I was
very clear.
x.x.90.77 is a test machine I am using to scan my x.x.90.243 machine.  The
proxy scan is part of the scan I am using to emulate a PROXY scan attempt.
The problem is the scan was from x.x.x.77 but my logs only show the ACK of
my machine responding to x.x.x.77's request SYN port scan of my machine on
that port.  None of the other signatures for the port scan show up, in fact
the only reason this was logged was because of the traffic generated by
x.x.x.243.  I'm looking for someone to point out where I misconfigured my
config file so that it is detecting ONLY traffic generated by x.x.x.243 even
though I have it in my portscan-ignore section.  I guess it's two part;  why
is it not detecting any external scans, and why is it not pre-processing my
ignore variable.
Problem in a nutshell:
IDS Signatures when scans are run from x.x.x.243 are captured in Logs.  ALL
scans from various other tests machines against x.x.x.243 do not log.  I do
however see the traffic when I am running snort -dev -c snort.conf, so the
interface is grabbing the packets.  I think I mis-configured my config file
so it doesn't know how to properly alert me.  Or I'm just not making any
sense and the way I'm phrasing my problem isn't coming across correctly.  I
hope this made things a little clearer.
	~Jason




Confidentiality Notice: 
This email message, including any attachments, is for the sole use of 
the intended recipient(s) and may contain confidential and privileged 
information.  Any unauthorized review, use, disclosure, or distribution 
is prohibited.  If you are not the intended recipient, please contact
the sender by reply e-mail and destroy all copies of the original message. 




--__--__--

Message: 9
Date: Wed, 12 Jun 2002 18:51:53 -0400
To: Jason Martin <jmartin at ...6065...>,
   "SNORT LIST (E-mail)" <snort-users at lists.sourceforge.net>
From: Matt Kettler <mkettler at ...4108...>
Subject: Re: : [Snort-users] Configuration HELP! (understanding alerts
  and proxies)

Ok, that clears things up a little bit.



First question what version of snort are you running?

You've said it's a 1.8 win32 port. Which one? If it is older than snort 
1.8.5, upgrade. Some members of the 1.8.x family had very significant bugs 
and I'd not even bother trying to determine if it's a config file problem 
if you're running one. (ie: strange bugs in stream processing, strange bugs 
in the frag reassembler)

http://www.snort.org/dl/binaries/

In general your config in your original email looks "good" at first glance, 
and that alert should not have occurred unless the proxy attempt rule you 
are using is any -> any instead of EXTERNAL_NET -> HOME_NET.

You could try this:

replace this:

var HOME_NET x.x.x.243/32

with

var HOME_NET [x.x.x.243/32]

I know you should only need the braces for multi-IP cases, but I always use 
them myself. I doubt it will fix it, but won't take long to try.



At 11:51 AM 6/12/2002 -1000, Jason Martin wrote:
>Let me follow-up on this before I get similar responses. I don't think I was
>very clear.
>x.x.90.77 is a test machine I am using to scan my x.x.90.243 machine.  The
>proxy scan is part of the scan I am using to emulate a PROXY scan attempt.
>The problem is the scan was from x.x.x.77 but my logs only show the ACK of
>my machine responding to x.x.x.77's request SYN port scan of my machine on
>that port.  None of the other signatures for the port scan show up, in fact
>the only reason this was logged was because of the traffic generated by
>x.x.x.243.  I'm looking for someone to point out where I misconfigured my
>config file so that it is detecting ONLY traffic generated by x.x.x.243 even
>though I have it in my portscan-ignore section.  I guess it's two part;  why
>is it not detecting any external scans, and why is it not pre-processing my
>ignore variable.
>Problem in a nutshell:
>IDS Signatures when scans are run from x.x.x.243 are captured in Logs.  ALL
>scans from various other tests machines against x.x.x.243 do not log.  I do
>however see the traffic when I am running snort -dev -c snort.conf, so the
>interface is grabbing the packets.  I think I mis-configured my config file
>so it doesn't know how to properly alert me.  Or I'm just not making any
>sense and the way I'm phrasing my problem isn't coming across correctly.  I
>hope this made things a little clearer.
>         ~Jason



--__--__--

Message: 10
From: "Michael Steele" <michaels at ...155...>
To: "'Steven Williams'" <Steven.Williams at ...4864...>
Cc: <snort-users at lists.sourceforge.net>
Subject: RE: [Snort-users] Syslog on W2K
Date: Wed, 12 Jun 2002 16:11:16 -0700

This is a multi-part message in MIME format.

------=_NextPart_000_0001_01C2122B.C8A49C40
Content-Type: text/plain;
	charset="us-ascii"
Content-Transfer-Encoding: 7bit

Steve,
 
That won't work. You are going to have to use a 3rd party Syslog Server
like Kiwi Syslog Daemon which will do everything you need, including
emailing alerts, but not freeware.
 
If you find anything else on the freeware side, could you let me know? I
have a list of people looking for a freeware utility for emailing alerts
on Windows.
 
http://www.kiwisyslog.com/
-Michael
--
 Michael Steele | System Engineer / Support Technician
 mailto:michaels at ...155...
 Silicon Defense: IDS solutions - http://www.silicondefense.com
 Snort: Open Source Network IDS - http://www.snort.org


-----Original Message-----
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of Steven
Williams
Sent: Tuesday, June 11, 2002 8:57 PM
To: 'snort-users at lists.sourceforge.net'
Subject: [Snort-users] Syslog on W2K
 
Hi,
 
I am using snort 1.8.6 on W2K.
 
I wish to log to the mysql database, but also log to a syslog server
using the commands below;
 
output alert_syslog: LOG_AUTH LOG_ALERT host=X.X.X.X
output database: alert, mysql, user=username dbname=database
sensor_name=sensor1 password=password host=X.X.X.X
 
When I run snort, I get a warning message stating "Unrecognized syslog
facility/priority: host=X.X.X.X"
 
Has anyone successfully got snort to syslog to a remote syslog server?
If so, can you let me know how you did it?
 
Also, has anyone got anything like Swatch on a W32 machine to report
from Syslog Files?
 
Thanks
 
Steve
 
 
Steve Williams
Communications Support Engineer
Computershare Technology Services
 
PH +61 3 92355651
FAX +61 3 94732409
www.computershare.com
 


---
This email and any files transmitted with it are solely intended for the
use of the
addressee(s) and may contain information that is confidential and
privileged. If you
receive this email in error, please advise us by return email
immediately. Please also
disregard the contents of the email, delete it and destroy any copies
immediately.
Computershare Limited and its subsidiaries do not accept liability for
the views
expressed in the email or for the consequences of any computer viruses
that may be
transmitted with this email

This email is also subject to copyright. No part of it should be
reproduced, adapted or 
transmitted without the written consent of the copyright owner.

------=_NextPart_000_0001_01C2122B.C8A49C40
Content-Type: text/html;
	charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

<html xmlns:o=3D"urn:schemas-microsoft-com:office:office" =
xmlns:w=3D"urn:schemas-microsoft-com:office:word" =
xmlns:x=3D"urn:schemas-microsoft-com:office:excel" =
xmlns:st1=3D"urn:schemas-microsoft-com:office:smarttags" =
xmlns=3D"http://www.w3.org/TR/REC-html40">

<head>
<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
charset=3Dus-ascii">


<meta name=3DProgId content=3DWord.Document>
<meta name=3DGenerator content=3D"Microsoft Word 10">
<meta name=3DOriginator content=3D"Microsoft Word 10">
<link rel=3DFile-List href=3D"cid:filelist.xml at ...6069...">
<o:SmartTagType =
namespaceuri=3D"urn:schemas-microsoft-com:office:smarttags"
 name=3D"PersonName"/>
<!--[if gte mso 9]><xml>
 <o:OfficeDocumentSettings>
  <o:DoNotRelyOnCSS/>
 </o:OfficeDocumentSettings>
</xml><![endif]--><!--[if gte mso 9]><xml>
 <w:WordDocument>
  <w:SpellingState>Clean</w:SpellingState>
  <w:GrammarState>Clean</w:GrammarState>
  <w:DocumentKind>DocumentEmail</w:DocumentKind>
  <w:EnvelopeVis/>
  <w:Compatibility>
   <w:BreakWrappedTables/>
   <w:SnapToGridInCell/>
   <w:WrapTextWithPunct/>
   <w:UseAsianBreakRules/>
   <w:UseFELayout/>
  </w:Compatibility>
  <w:BrowserLevel>MicrosoftInternetExplorer4</w:BrowserLevel>
 </w:WordDocument>
</xml><![endif]--><!--[if !mso]>
<style>
st1\:*{behavior:url(#default#ieooui) }
</style>
<![endif]-->
<style>
<!--
 /* Font Definitions */
 @font-face
	{font-family:SimSun;
	panose-1:2 1 6 0 3 1 1 1 1 1;
	mso-font-alt:\5B8B\4F53;
	mso-font-charset:134;
	mso-generic-font-family:auto;
	mso-font-pitch:variable;
	mso-font-signature:3 135135232 16 0 262145 0;}
@font-face
	{font-family:Tahoma;
	panose-1:2 11 6 4 3 5 4 4 2 4;
	mso-font-charset:0;
	mso-generic-font-family:swiss;
	mso-font-pitch:variable;
	mso-font-signature:553679495 -2147483648 8 0 66047 0;}
@font-face
	{font-family:"\@SimSun";
	panose-1:2 1 6 0 3 1 1 1 1 1;
	mso-font-charset:134;
	mso-generic-font-family:auto;
	mso-font-pitch:variable;
	mso-font-signature:3 135135232 16 0 262145 0;}
 /* Style Definitions */
 p.MsoNormal, li.MsoNormal, div.MsoNormal
	{mso-style-parent:"";
	margin:0in;
	margin-bottom:.0001pt;
	mso-pagination:widow-orphan;
	font-size:12.0pt;
	font-family:"Times New Roman";
	mso-fareast-font-family:"Times New Roman";}
a:link, span.MsoHyperlink
	{color:blue;
	text-decoration:underline;
	text-underline:single;}
a:visited, span.MsoHyperlinkFollowed
	{color:purple;
	text-decoration:underline;
	text-underline:single;}
p
	{mso-margin-top-alt:auto;
	margin-right:0in;
	mso-margin-bottom-alt:auto;
	margin-left:0in;
	mso-pagination:widow-orphan;
	font-size:12.0pt;
	font-family:"Times New Roman";
	mso-fareast-font-family:SimSun;}
code
	{font-family:"Courier New";
	mso-ascii-font-family:"Courier New";
	mso-fareast-font-family:SimSun;
	mso-hansi-font-family:"Courier New";
	mso-bidi-font-family:"Courier New";}
span.EmailStyle17
	{mso-style-type:personal;
	mso-style-noshow:yes;
	mso-ansi-font-size:10.0pt;
	mso-bidi-font-size:10.0pt;
	font-family:Arial;
	mso-ascii-font-family:Arial;
	mso-hansi-font-family:Arial;
	mso-bidi-font-family:Arial;
	color:windowtext;}
span.EmailStyle19
	{mso-style-type:personal-reply;
	mso-style-noshow:yes;
	mso-ansi-font-size:10.0pt;
	mso-bidi-font-size:10.0pt;
	font-family:Arial;
	mso-ascii-font-family:Arial;
	mso-hansi-font-family:Arial;
	mso-bidi-font-family:Arial;
	color:navy;}
span.SpellE
	{mso-style-name:"";
	mso-spl-e:yes;}
span.GramE
	{mso-style-name:"";
	mso-gram-e:yes;}
@page Section1
	{size:8.5in 11.0in;
	margin:1.0in 1.25in 1.0in 1.25in;
	mso-header-margin:.5in;
	mso-footer-margin:.5in;
	mso-paper-source:0;}
div.Section1
	{page:Section1;}
-->
</style>
<!--[if gte mso 10]>
<style>
 /* Style Definitions */=20
 table.MsoNormalTable
	{mso-style-name:"Table Normal";
	mso-tstyle-rowband-size:0;
	mso-tstyle-colband-size:0;
	mso-style-noshow:yes;
	mso-style-parent:"";
	mso-padding-alt:0in 5.4pt 0in 5.4pt;
	mso-para-margin:0in;
	mso-para-margin-bottom:.0001pt;
	mso-pagination:widow-orphan;
	font-size:10.0pt;
	font-family:"Times New Roman";}
</style>
<![endif]-->
</head>

<body lang=3DEN-US link=3Dblue vlink=3Dpurple =
style=3D'tab-interval:.5in'>

<div class=3DSection1>

<p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span =
style=3D'font-size:
10.0pt;font-family:Arial;color:navy'>Steve,<o:p></o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span =
style=3D'font-size:
10.0pt;font-family:Arial;color:navy'><o:p> </o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span =
style=3D'font-size:
10.0pt;font-family:Arial;color:navy'>That won’t work. You are =
going to
have to use a 3<sup>rd</sup> party <span class=3DSpellE>Syslog</span> =
Server like
Kiwi <span class=3DSpellE>Syslog</span> Daemon which will do everything =
you need,
including emailing alerts, but not =
freeware.<o:p></o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span =
style=3D'font-size:
10.0pt;font-family:Arial;color:navy'><o:p> </o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span =
style=3D'font-size:
10.0pt;font-family:Arial;color:navy'>If you find anything else on the =
freeware
side, could you let me know? I have a list of people looking for a =
freeware
utility for emailing alerts on Windows.<o:p></o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span =
style=3D'font-size:
10.0pt;font-family:Arial;color:navy'><o:p> </o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span =
style=3D'font-size:
10.0pt;font-family:Arial;color:navy'><a =
href=3D"http://www.kiwisyslog.com/">http://www.kiwisyslog.com/</a><o:p></=
o:p></span></font></p>

<div>

<p style=3D'margin-bottom:12.0pt'><font size=3D2 color=3Dnavy =
face=3D"Times New Roman"><span
style=3D'font-size:10.0pt;color:navy;mso-no-proof:yes'>-Michael<br>
--<br>
 </span></font><st1:PersonName><font size=3D2 color=3Dnavy><span
 style=3D'font-size:10.0pt;color:navy;mso-no-proof:yes'>Michael =
Steele</span></font></st1:PersonName><font
size=3D2 color=3Dnavy><span =
style=3D'font-size:10.0pt;color:navy;mso-no-proof:yes'> |
System Engineer / Support Technician<br>
 <a =
href=3D"mailto:michaels at ...155...">mailto:michaels at ...6071...=
e.com</a><br>
 Silicon Defense: IDS solutions - <a =
href=3D"http://www.silicondefense.com">http://www.silicondefense.com</a><=
br>
 Snort: Open Source Network IDS - <a =
href=3D"http://www.snort.org">http://www.snort.org</a><br
style=3D'mso-special-character:line-break'>
<![if !supportLineBreakNewLine]><br =
style=3D'mso-special-character:line-break'>
<![endif]></span></font><o:p></o:p></p>

</div>

<p class=3DMsoNormal style=3D'margin-left:.5in'><font size=3D2 =
face=3DTahoma><span
style=3D'font-size:10.0pt;font-family:Tahoma;mso-fareast-font-family:SimS=
un'>-----Original
Message-----<br>
<b><span style=3D'font-weight:bold'>From:</span></b>
snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net] <b><span =
style=3D'font-weight:
bold'>On Behalf Of </span></b>Steven Williams<br>
<b><span style=3D'font-weight:bold'>Sent:</span></b> Tuesday, June 11, =
2002 8:57
PM<br>
<b><span style=3D'font-weight:bold'>To:</span></b> =
'</span></font><st1:PersonName><font
 size=3D2 face=3DTahoma><span =
style=3D'font-size:10.0pt;font-family:Tahoma;
 =
mso-fareast-font-family:SimSun'>snort-users at lists.sourceforge.net</span><=
/font></st1:PersonName><font
size=3D2 face=3DTahoma><span =
style=3D'font-size:10.0pt;font-family:Tahoma;mso-fareast-font-family:
SimSun'>'<br>
<b><span style=3D'font-weight:bold'>Subject:</span></b> [Snort-users] =
Syslog on
W2K</span></font></p>

<p class=3DMsoNormal style=3D'margin-left:.5in'><font size=3D3 =
face=3D"Times New Roman"><span
style=3D'font-size:12.0pt'><o:p> </o:p></span></font></p>

<p class=3DMsoNormal =
style=3D'margin-left:.5in;mso-layout-grid-align:none;
text-autospace:none'><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt;font-family:"Courier New"'>Hi,<o:p></o:p></span></font></p>

<p class=3DMsoNormal =
style=3D'margin-left:.5in;mso-layout-grid-align:none;
text-autospace:none'><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt;font-family:"Courier New"'><span =
style=3D'mso-spacerun:yes'> </span><o:p></o:p></span></font></p>

<p class=3DMsoNormal =
style=3D'margin-left:.5in;mso-layout-grid-align:none;
text-autospace:none'><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt;font-family:"Courier New"'>I am using snort 1.8.6 on =
W2K.<o:p></o:p></span></font></p>

<p class=3DMsoNormal =
style=3D'margin-left:.5in;mso-layout-grid-align:none;
text-autospace:none'><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt;font-family:"Courier New"'><span =
style=3D'mso-spacerun:yes'> </span><o:p></o:p></span></font></p>

<p class=3DMsoNormal =
style=3D'margin-left:.5in;mso-layout-grid-align:none;
text-autospace:none'><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt;font-family:"Courier New"'>I wish to log to the mysql database, =
but also
log to a syslog server using the commands =
below;<o:p></o:p></span></font></p>

<p class=3DMsoNormal =
style=3D'margin-left:.5in;mso-layout-grid-align:none;
text-autospace:none'><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt;font-family:"Courier New"'><span =
style=3D'mso-spacerun:yes'> </span><o:p></o:p></span></font></p>

<p class=3DMsoNormal =
style=3D'margin-left:.5in;mso-layout-grid-align:none;
text-autospace:none'><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt;font-family:"Courier New"'>output alert_syslog: LOG_AUTH =
LOG_ALERT
host=3DX.X.X.X<o:p></o:p></span></font></p>

<p class=3DMsoNormal =
style=3D'margin-left:.5in;mso-layout-grid-align:none;
text-autospace:none'><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt;font-family:"Courier New"'>output database: alert, mysql, =
user=3Dusername
dbname=3Ddatabase sensor_name=3Dsensor1 password=3Dpassword =
host=3DX.X.X.X<o:p></o:p></span></font></p>

<p class=3DMsoNormal =
style=3D'margin-left:.5in;mso-layout-grid-align:none;
text-autospace:none'><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt;font-family:"Courier New"'><span =
style=3D'mso-spacerun:yes'> </span><o:p></o:p></span></font></p>

<p class=3DMsoNormal =
style=3D'margin-left:.5in;mso-layout-grid-align:none;
text-autospace:none'><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt;font-family:"Courier New"'>When I run snort, I get a warning =
message
stating "Unrecognized syslog facility/priority: =
host=3DX.X.X.X"<o:p></o:p></span></font></p>

<p class=3DMsoNormal =
style=3D'margin-left:.5in;mso-layout-grid-align:none;
text-autospace:none'><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt;font-family:"Courier New"'><span =
style=3D'mso-spacerun:yes'> </span><o:p></o:p></span></font></p>

<p class=3DMsoNormal =
style=3D'margin-left:.5in;mso-layout-grid-align:none;
text-autospace:none'><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt;font-family:"Courier New"'>Has anyone successfully got snort to =
syslog
to a remote syslog server? If so, can you let me know how you did =
it?<o:p></o:p></span></font></p>

<p class=3DMsoNormal =
style=3D'margin-left:.5in;mso-layout-grid-align:none;
text-autospace:none'><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt;font-family:"Courier New"'><span =
style=3D'mso-spacerun:yes'> </span><o:p></o:p></span></font></p>

<p class=3DMsoNormal =
style=3D'margin-left:.5in;mso-layout-grid-align:none;
text-autospace:none'><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt;font-family:"Courier New"'>Also, has anyone got anything like =
Swatch on
a W32 machine to report from Syslog Files?<o:p></o:p></span></font></p>

<p class=3DMsoNormal =
style=3D'margin-left:.5in;mso-layout-grid-align:none;
text-autospace:none'><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt;font-family:"Courier New"'><span =
style=3D'mso-spacerun:yes'> </span><o:p></o:p></span></font></p>

<p class=3DMsoNormal =
style=3D'margin-left:.5in;mso-layout-grid-align:none;
text-autospace:none'><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt;font-family:"Courier New"'>Thanks<o:p></o:p></span></font></p>

<p class=3DMsoNormal =
style=3D'margin-left:.5in;mso-layout-grid-align:none;
text-autospace:none'><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt;font-family:"Courier New"'><span =
style=3D'mso-spacerun:yes'> </span><o:p></o:p></span></font></p>

<p class=3DMsoNormal =
style=3D'margin-left:.5in;mso-layout-grid-align:none;
text-autospace:none'><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt;font-family:"Courier New"'>Steve<o:p></o:p></span></font></p>

<p class=3DMsoNormal style=3D'margin-left:.5in'><font size=3D2 =
face=3DArial><span
style=3D'font-size:10.0pt;font-family:Arial'><o:p> </o:p></span></fo=
nt></p>

<p class=3DMsoNormal style=3D'margin-left:.5in'><font size=3D2 =
face=3DArial><span
style=3D'font-size:10.0pt;font-family:Arial'><o:p> </o:p></span></fo=
nt></p>

<p class=3DMsoNormal style=3D'margin-left:.5in'><b><font size=3D2 =
color=3Dpurple
face=3DArial><span =
style=3D'font-size:10.0pt;font-family:Arial;color:purple;
font-weight:bold;mso-no-proof:yes'>Steve Williams</span></font></b><span
style=3D'mso-no-proof:yes'><o:p></o:p></span></p>

<p class=3DMsoNormal style=3D'margin-left:.5in'><font size=3D2 =
color=3Dpurple
face=3DArial><span =
style=3D'font-size:10.0pt;font-family:Arial;color:purple;
mso-no-proof:yes'>Communications </span></font><st1:PersonName><font =
size=3D2
 color=3Dpurple face=3DArial><span =
style=3D'font-size:10.0pt;font-family:Arial;
 =
color:purple;mso-no-proof:yes'>Support</span></font></st1:PersonName><fon=
t
size=3D2 color=3Dpurple face=3DArial><span =
style=3D'font-size:10.0pt;font-family:Arial;
color:purple;mso-no-proof:yes'> Engineer</span></font><span =
style=3D'mso-no-proof:
yes'><o:p></o:p></span></p>

<p class=3DMsoNormal style=3D'margin-left:.5in'><font size=3D2 =
color=3Dpurple
face=3DArial><span =
style=3D'font-size:10.0pt;font-family:Arial;color:purple;
mso-no-proof:yes'>Computershare Technology Services</span></font><span
style=3D'mso-no-proof:yes'><o:p></o:p></span></p>

<p class=3DMsoNormal style=3D'margin-left:.5in'><font size=3D3 =
face=3D"Times New Roman"><span
style=3D'font-size:12.0pt;mso-no-proof:yes'> <o:p></o:p></span></fon=
t></p>

<p class=3DMsoNormal style=3D'margin-left:.5in'><font size=3D2 =
color=3Dpurple
face=3DArial><span =
style=3D'font-size:10.0pt;font-family:Arial;color:purple;
mso-no-proof:yes'>PH +61 3 92355651</span></font><span =
style=3D'mso-no-proof:
yes'><o:p></o:p></span></p>

<p class=3DMsoNormal style=3D'margin-left:.5in'><font size=3D2 =
color=3Dpurple
face=3DArial><span =
style=3D'font-size:10.0pt;font-family:Arial;color:purple;
mso-no-proof:yes'>FAX +61 3 94732409</span></font><span =
style=3D'mso-no-proof:
yes'><o:p></o:p></span></p>

<p class=3DMsoNormal style=3D'margin-left:.5in'><font size=3D2 =
face=3DArial><span
style=3D'font-size:10.0pt;font-family:Arial;mso-no-proof:yes'><a
href=3D"http://www.computershare.com">www.computershare.com</a></span></f=
ont><o:p></o:p></p>

<p class=3DMsoNormal style=3D'margin-left:.5in'><font size=3D3 =
face=3D"Times New Roman"><span
style=3D'font-size:12.0pt'><o:p> </o:p></span></font></p>

<p class=3DMsoNormal style=3D'margin-left:.5in'><font size=3D3 =
face=3D"Courier New"><span
style=3D'font-size:12.0pt;font-family:"Courier =
New";mso-fareast-font-family:SimSun'><br>
<br>
<code><font face=3D"Courier New"><span =
style=3D'mso-ansi-font-size:12.0pt;
mso-bidi-font-size:12.0pt'>---</span></font></code><br>
<code><font face=3D"Courier New"><span =
style=3D'mso-ansi-font-size:12.0pt;
mso-bidi-font-size:12.0pt'>This email and any files transmitted with it =
are
solely intended for the use of the</span></font></code><br>
<code><font face=3D"Courier New"><span =
style=3D'mso-ansi-font-size:12.0pt;
mso-bidi-font-size:12.0pt'>addressee(s) and may contain information that =
is
confidential and privileged. If you</span></font></code><br>
<code><font face=3D"Courier New"><span =
style=3D'mso-ansi-font-size:12.0pt;
mso-bidi-font-size:12.0pt'>receive this email in error, please advise us =
by
return email immediately. Please also</span></font></code><br>
<code><font face=3D"Courier New"><span =
style=3D'mso-ansi-font-size:12.0pt;
mso-bidi-font-size:12.0pt'>disregard the contents of the email, delete =
it and
destroy any copies immediately.</span></font></code><br>
<code><font face=3D"Courier New"><span =
style=3D'mso-ansi-font-size:12.0pt;
mso-bidi-font-size:12.0pt'>Computershare Limited and its subsidiaries do =
not
accept liability for the views</span></font></code><br>
<code><font face=3D"Courier New"><span =
style=3D'mso-ansi-font-size:12.0pt;
mso-bidi-font-size:12.0pt'>expressed in the email or for the =
consequences of
any computer viruses that may be</span></font></code><br>
<code><font face=3D"Courier New"><span =
style=3D'mso-ansi-font-size:12.0pt;
mso-bidi-font-size:12.0pt'>transmitted with this =
email</span></font></code><br>
<br>
<code><font face=3D"Courier New"><span =
style=3D'mso-ansi-font-size:12.0pt;
mso-bidi-font-size:12.0pt'>This email is also subject to copyright. No =
part of
it should be reproduced, adapted or </span></font></code><br>
<code><font face=3D"Courier New"><span =
style=3D'mso-ansi-font-size:12.0pt;
mso-bidi-font-size:12.0pt'>transmitted without the written consent of =
the
copyright owner.</span></font></code></span></font><span =
style=3D'mso-fareast-font-family:
SimSun'><o:p></o:p></span></p>

</div>

</body>

</html>

------=_NextPart_000_0001_01C2122B.C8A49C40--





--__--__--

_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-users


End of Snort-users Digest




More information about the Snort-users mailing list