[Snort-users] Snort and Syslog

Jeremy Hoel jthoel at ...11827...
Thu Apr 4 13:48:54 EDT 2013


OSSEC has many rules, you can tweak them.  It's not a False Positive.. it
is something you might want to know, if you have no other tools telling you
the data.


On Thu, Apr 4, 2013 at 5:38 PM, waldo kitty <wkitty42 at ...14940...> wrote:

> On 4/4/2013 10:45, Josh Bitto wrote:
> > Your probably better off asking this question in rsyslog's mail group.
> I've gotten a lot of help from them.
>
> or even better, report it to OSSEC so it can be fixed and not have the
> problems
> any more... one has to wonder what all the other OSSEC using sites do
> since this
> info is always posted... i just checked a live snort 2.8.something
> installation
> and it posts this info, too... i know there are folks using OSSEC who used
> to
> run snort 2.8...
>
> > -----Original Message-----
> > From: Phil Daws [mailto:uxbod at ...14273...]
> > Sent: Thursday, April 04, 2013 5:24 AM
> > To: snort-users at lists.sourceforge.net
> > Subject: [Snort-users] Snort and Syslog
> >
> > Hi,
> >
> > When Snort starts it writes specific information to /var/log/messages eg.
> >
> > Apr  4 12:01:40 fw1 snort[2951]: [ Port Based Pattern Matching Memory ]
> Apr  4 12:01:40 fw1 snort[2951]: +- [ Aho-Corasick Summary ]
> -------------------------------------
> > Apr  4 12:01:40 fw1 snort[2951]: | Storage Format    : Full-Q
> > Apr  4 12:01:40 fw1 snort[2951]: | Finite Automaton  : DFA
> > Apr  4 12:01:40 fw1 snort[2951]: | Alphabet Size     : 256 Chars
> > Apr  4 12:01:40 fw1 snort[2951]: | Sizeof State      : Variable (1,2,4
> bytes)
> > Apr  4 12:01:40 fw1 snort[2951]: | Instances         : 294
> > Apr  4 12:01:40 fw1 snort[2951]: |     1 byte states : 275
> > Apr  4 12:01:40 fw1 snort[2951]: |     2 byte states : 19
> > Apr  4 12:01:40 fw1 snort[2951]: |     4 byte states : 0
> > Apr  4 12:01:40 fw1 snort[2951]: | Characters        : 249637
> >
> > How can I redirect those messages to a separate file as it plays havoc
> with OSSEC :) I have tried adding snort.none to rsyslog.conf for
> /var/log/messages and then added snort.* to direct too another file. That
> did not work :(
> >
> > Any thoughts please ?
>
>
>
>
> ------------------------------------------------------------------------------
> Minimize network downtime and maximize team effectiveness.
> Reduce network management and security costs.Learn how to hire
> the most talented Cisco Certified professionals. Visit the
> Employer Resources Portal
> http://www.cisco.com/web/learning/employer_resources/index.html
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130404/3681074e/attachment.html>


More information about the Snort-users mailing list