[Snort-users] syslog ? and file file ?

Turnquist,Wayne WayneTurnquist at ...12076...
Wed Jul 7 21:28:01 EDT 2004


to give some details. we connect to the internet by connecting to the corp data center along with a bunch of other hospitals. since security is becomming more of a problem because of all the virus/trojan horse i decide i need to tight our side up even tho corp has fiewalls and other security process.

so i want to get snort up and running and to watch for the basic attacks.i don't what to have to constantly twitch the rules because i don't have much time since  im a one man shop hear at the hospital. would the standard rules and the options for the rules that come with the installation of snort be gone enough or should i turn on some other rules that are disabled in the standard install

right now i have the router to corp---->hub---->switch, where i have snort and ntop installed in the hub on 2 different pc's


I start working with snort yesterday.  I finely got it to at least run.

i have a windows 2000 pro with all the updates
i installed snort 2.1.3 and winpcap 3.0

on another win2000 pro i have kiwi syslog running

i'm using the installed rules and conf except for the following changes to the installed conf

var HOME_NET[10.110.96.0/24,10.110.97.0/24,10.110.99.0/24,10.110.100.0/23,10.110.102.0/24,10.110.106.0/24,10.1.1.0/24]

var DNS_SERVERS [10.110.101.231/32,10.110.101.233/32]
var SMTP_SERVERS [10.110.101.233/32]
var SNMP_SERVERS [10.110.99.2/32,10.110.99.4/32]
var RULE_PATH d:\ids\snort\rules
output log_tcpdump: tcpdump.log
output alert_syslog: host=10.110.99.4:514, LOG_AUTH LOG_ALERT


i issue the following command at the d:\ids\snor\bin dir
snort -c "d:\ids\snort\etc\snort.conf" -l d:\ids\snort\log -i 1 -d not host 10.250.24.25

it does create the alert.ids and the tcpdump file.
but im not getting any syslog msg to the machine running kiwi syslog. i do have another device on the network sending msys to the syslog. so i know it can receive msg's

1)what is going wrong
2)assuming i get this to work, can i have syslog msg send to 2 different pc at the same time
--------------------------------------------------------------

The next question.

I want to get up and running quickly.  In case of point the not host 10.250.24.25 is a solarwinds at the main corp. data center monitoring some equipment in our network.  this seems to work but there is other equipment at corp that i trust and for now i would like to trust fully and at this time tight down to the actual stream the need.  so my question is how can i add lets say 5 devices from corp from not generating alerts?

do i create file lets say it is called ty.txt
not host x
not host y
not host z
not host g
not host k

then use the following
snort -c "d:\ids\snort\etc\snort.conf" -l d:\ids\snort\log -i 1 -d -f  "c:\ty.txt"

if this is not correct, can some one tell me how to do it correctly


another issue i noticed why planning around, is that my snmp severs are generating alerts when the probe the router which is 10.110.101.254 even tho i used the var to declare my snmp pc's. do i need to added this ip number to the not host file as state above. if not, what am im doing wrong


thank you
wt











More information about the Snort-users mailing list