[Snort-users] Snort and Syslog

Phil Daws uxbod at ...14273...
Thu Apr 4 14:49:42 EDT 2013


Hi Jeremy, 

How many rules would be require in OSSEC to suppress those entries! ;) The issue is how to make Snort write to a different file than syslog. I do not wish to suppress the Snort info just redirect to a different file so that I can pick the juicy bits out to monitor. Appreciate the input. 

Thanks. 

----- Original Message -----

From: "Jeremy Hoel" <jthoel at ...11827...> 
To: "Phil Daws" <uxbod at ...14273...> 
Cc: snort-users at lists.sourceforge.net 
Sent: Thursday, 4 April, 2013 4:45:24 PM 
Subject: Re: [Snort-users] Snort and Syslog 

In OSSEC make a local rule to ignore the file and the process? 

Or setup snort to not output to syslog.. 

and you might try running snort with the '-q' flag and see if it's quieter in the logs. 


On Thu, Apr 4, 2013 at 12:23 PM, Phil Daws < uxbod at ...14273... > wrote: 


Hi, 

When Snort starts it writes specific information to /var/log/messages eg. 

Apr 4 12:01:40 fw1 snort[2951]: [ Port Based Pattern Matching Memory ] 
Apr 4 12:01:40 fw1 snort[2951]: +- [ Aho-Corasick Summary ] ------------------------------------- 
Apr 4 12:01:40 fw1 snort[2951]: | Storage Format : Full-Q 
Apr 4 12:01:40 fw1 snort[2951]: | Finite Automaton : DFA 
Apr 4 12:01:40 fw1 snort[2951]: | Alphabet Size : 256 Chars 
Apr 4 12:01:40 fw1 snort[2951]: | Sizeof State : Variable (1,2,4 bytes) 
Apr 4 12:01:40 fw1 snort[2951]: | Instances : 294 
Apr 4 12:01:40 fw1 snort[2951]: | 1 byte states : 275 
Apr 4 12:01:40 fw1 snort[2951]: | 2 byte states : 19 
Apr 4 12:01:40 fw1 snort[2951]: | 4 byte states : 0 
Apr 4 12:01:40 fw1 snort[2951]: | Characters : 249637 

How can I redirect those messages to a separate file as it plays havoc with OSSEC :) I have tried adding snort.none to rsyslog.conf for /var/log/messages and then added snort.* to direct too another file. That did not work :( 

Any thoughts please ? 

------------------------------------------------------------------------------ 
Minimize network downtime and maximize team effectiveness. 
Reduce network management and security costs.Learn how to hire 
the most talented Cisco Certified professionals. Visit the 
Employer Resources Portal 
http://www.cisco.com/web/learning/employer_resources/index.html 
_______________________________________________ 
Snort-users mailing list 
Snort-users at lists.sourceforge.net 
Go to this URL to change user options or unsubscribe: 
https://lists.sourceforge.net/lists/listinfo/snort-users 
Snort-users list archive: 
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users 

Please visit http://blog.snort.org to stay current on all the latest Snort news! 





-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130404/1fb77b91/attachment.html>


More information about the Snort-users mailing list