[Snort-users] Snort ---> syslog

Michael Steele michaels at ...155...
Fri Jun 21 09:49:05 EDT 2002


Don,

When alerts get triggered and logged, the size of the payload is
determined in the header information, and that's what is logged, minus
the header information, to the alert.ids file. Syslog only logs part of
that payload. Swatch can be set to trigger email alerts based on unique
information that is being logged to Syslog, which is very useful.

Here is a comparison of one Syslog alert and the same alert in the
alert.ids log file. This may give you an insight as to what the
difference is, and what Syslog is actually logging.

Syslog:

[111:3:1] spp_stream4: Possible RETRANSMISSION detection {TCP}
209.179.198.82:1218 -> 208.25.194.160:80

Alert.ids:

[**] [111:3:1] spp_stream4: Possible RETRANSMISSION detection [**]
06/21-08:32:01.224781 209.179.198.82:1218 -> 208.25.194.160:80
TCP TTL:117 TOS:0x0 ID:4443 IpLen:20 DgmLen:308 DF
***AP*** Seq: 0x72CF9057  Ack: 0x19449E78  Win: 0x2238  TcpLen: 20

It all depends on your Management console on what information in the
payload gets displayed to you. It's unique from one management console
to another.

-Michael
--
 Michael Steele | System Engineer / Support Technician
 mailto:michaels at ...155...
 Silicon Defense: IDS solutions - http://www.silicondefense.com
 Snort: Open Source Network IDS - http://www.snort.org

-----Original Message-----
From: Don [mailto:Don at ...5881...] 
Sent: Friday, June 21, 2002 8:36 AM
To: Michael Steele; 'spy'
Cc: snort-users at lists.sourceforge.net
Subject: RE: [Snort-users] Snort ---> syslog

can you give me an example of what the ALERT would be as far as
difference
btwn alerting to syslog, and alerting to anything else. i mean, as i
understand, the ALERT in and of itself, contains just what is btwn the
quotes on the alert line itself that states the message to be used, what
other alert message is there that any other logging mechanism would
provide.
example,
using sql.rules one line is

alert tcp $SQL_SERVERS 139 -> $EXTERNAL_NET any (msg:"MS-SQL/SMB sa
login
failed"; content: "Login failed for user |27|sa|27|"; flags:A+;
offset:83;
classtype:attempted-user; sid:680; rev:3;)

when there is a failed login, that triggers that specific rule the alert
sent to syslog server is

   snort[1152]: [1:688:3] MS-SQL sa login failed [Classification:
Unsuccessful User Privilege Gain] [Priority: 1]: {TCP} xx.xx.xx.xx:1433
->
216.154.205.87:2405

 are you telling me by saying "You will get a lot more information from
the
console manager you are using." that I will get some other message by
using
any other logging method? if so, what other message would that be, and
by
what method being used?

Don


> >-----Original Message-----
> >From: snort-users-admin at lists.sourceforge.net
> >[mailto:snort-users-admin at lists.sourceforge.net]On Behalf Of Michael
> >Steele
> >Sent: Friday, June 21, 2002 7:44 AM
> >To: 'spy'
> >Cc: snort-users at lists.sourceforge.net
> >Subject: RE: [Snort-users] Snort ---> syslog
> >
> >
> >Spyguy,
> >
> >When you select Syslog you get 1 line of alert and that line is
limited
> >to a number of characters. You will get a lot more information from
the
> >console manager you are using.
> >
> >You can use spade to do correlations, and there are others.
> >
> >You can send the Syslog to a remote Syslog server, and use Swatch to
> >email alerts, this is the way to do it, or use Swatch on the local
> >Syslog, but of course this is *nix specific. Swatch won't run on
Windows
> >:(
> >
> >-Michael
> >--
> > Michael Steele | System Engineer / Support Technician
> > mailto:michaels at ...155...
> > Silicon Defense: IDS solutions - http://www.silicondefense.com
> > Snort: Open Source Network IDS - http://www.snort.org
> >
> >
> >
> >-----Original Message-----
> >From: snort-users-admin at lists.sourceforge.net
> >[mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of spy
> >Sent: Wednesday, May 22, 2002 8:05 AM
> >To: snort-users at lists.sourceforge.net
> >Subject: [Snort-users] Snort ---> syslog
> >
> >Anyone have any experience with snort logging to syslog?
> >I have a few questions before i 'try' it.
> >
> >1) Are logs and alerts LACKING useful data that you would normally
get
> >with
> >regular snort logging?
> >
> >2) Are you using any correlation tools like NetForensics or something
> >else?
> >
> >3) Can you send syslog from multiple snort sensors to one syslog
server
> >and
> >run swatch? If yes, what do you like/not like about doing it this
way?
> >
> >
> >Thanks in advance!
> >spyguy
> >
> >
> >
> >-------------------------------------------------------
> >Sponsored by:
> >ThinkGeek at http://www.ThinkGeek.com/
> >_______________________________________________
> >Snort-users mailing list
> >Snort-users at lists.sourceforge.net
> >Go to this URL to change user options or unsubscribe:
> >https://lists.sourceforge.net/lists/listinfo/snort-users
> >Snort-users list archive:
> >http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >
> >
> >
> >
> >
> >-------------------------------------------------------
> >Sponsored by:
> >ThinkGeek at http://www.ThinkGeek.com/
> >_______________________________________________
> >Snort-users mailing list
> >Snort-users at lists.sourceforge.net
> >Go to this URL to change user options or unsubscribe:
> >https://lists.sourceforge.net/lists/listinfo/snort-users
> >Snort-users list archive:
> >http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >








More information about the Snort-users mailing list