[Snort-users] Stealth syslog to remote server

JP Vossen vossenjp at ...8683...
Sat May 24 09:43:04 EDT 2003


> Date: Sat, 24 May 2003 03:26:41 -0700 (PDT)
> From: Carol Overes <message4casa at ...131...>
> To: snort-users at lists.sourceforge.net
> Subject: [Snort-users] Stealth syslog to remote server
>
> Hi,
>
> I'm looking for a method to sniff syslog messages on a
> ethernet segment, and forward these messages to a
> remote syslog server. I want to capture the syslog
> messages by using snort in stealth mode.
>
> I have seen some articles about this matter
> (http://www.linuxsecurity.com/feature_stories/snortlog-part1.html).
> However, in this case a snort alert is logged to
> syslog. I want to log the captured syslog packets to a
> remote syslog server.

So have Snort log to the local syslog using a user defined facility like
local5, then forward "local5	@remoteloghost"...


> There is a script that can log to syslog, called
> 'snort2syslog'.

Thanks for the link!  I was just writing a very similar tool.


> But I was wondering if Snort can log
> these messages by it self.

Sort of.  As you note above, Snort can already use syslog.  It has the -s
switch and the alert_syslog directive.  On UNIX machines, using those will
cause Snort to send alerts to the local syslog.  You can then forward that
elsewhere (as I noted above).  On Windows Snort can alert to a "remote" syslog
server.  That remote server can in fact be located on the same machine or a
different one (using a Windows syslog server locally or any syslog server
remotely).

But depending on what you mean by "stealth" that may not be quite what
you are talking about.

My approach to the tool I am writing (StealthSyslog.pl) is to run Snort
something like this:
	snort -vdCqi eth0 udp port 514 | StealthSyslog.pl | \
		logger -t StealthSyslog.pl -p local5.info

Then you can just forward local5 to wherever.  MY situation is that I have a
honeypot on an isolated segment such that I can't get syslog from it to my
LAN.  But I have Snort monitoring it (among other things) on an unnumbered
interface.  I've configured the honeypot with a local route and static arp
entry for a bogus IPA on the isolated segment and forwarded all syslog to that
non-existant address.  In addition to monitoring for the Snort.org rules on
the unnumbered interface, Snort can log the syslog traffic, and dump it into
the IDS's syslog.  From there it can be forwarded as needed.  Using syslog-ng
would allow much more flexibility with that, but I haven't gotten around to
that yet.

You might also check out the Loganalysis site at www.loganalysis.org.  I will
eventually post my script there, with whatever links and other useful info I
find.  I'm still in the early phases of developement, and that only when I can
spare the time.

I hope this is helpful,
JP
------------------------------|:::======|--------------------------------
JP Vossen, CISSP              |:::======|                jp at ...8684...
My Account, My Opinions       |=========|       http://www.jpsdomain.org/
------------------------------|=========|--------------------------------
"The software said it requires Windows XP or better, so I installed
Linux..."





More information about the Snort-users mailing list