[Snort-users] Syslog,MySql, IDS Center /Eagle X
Freddie Soerensen
Does the present version of IDSCenter work with Snort 2.0 ?
Freddie
> -----Urspr=FCngliche Nachricht-----
> Von: Ueli Kistler [mailto:i...@gmx.ch]=20
> Gesendet: Montag, 19. Mai 2003 19:26
> An: McBurnett, Jim
> Cc: snort...@lists.sourceforge.net
> Betreff: Re: [Snort-users] Syslog,MySql, IDS Center /Eagle X
>=20
>=20
> Hello
>=20
> McBurnett, Jim wrote:
>=20
> .. <snip>
> >
> > I tried to add Syslog to it and Bingo-- It crashes every=20
> time it sends
> > a message..
> > I tried to send to an external syslog.. no go. I tried an=20
> on Machine=20
> > Syslog.
> > No go.. System has 3 NICS, and I am using the 2nd NIC.
> >
>=20
> Snort 2.0:
> add an syslog output plugin in the output plugin wizard..=20
> then click on=20
> apply. Now go to "IDS rules" again, where the Snort=20
> configuration editor=20
> is (Snort.conf).. scroll down until you find "output syslog: .."
>=20
> now change it to something like this:
> * output alert_syslog: LOG_AUTH LOG_ALERT
> * output alert_syslog: host=3Dhostname, LOG_AUTH LOG_ALERT
> * output alert_syslog: host=3Dhostname:port, LOG_AUTH LOG_ALERT
>=20
> - Save
> - Click on "Apply"
>=20
> (note from chris reid:
> For Win32, the remote host/port information has been moved into the
> snort.conf file. See the "alert_syslog" option in=20
> snort.conf. The reason
> for this was to make the command line options more compatible=20
> with the *nix
> version of snort.)
>=20
> Regards,
> Ueli Kistler
> ecl...@engagesecurity.com
> www.engagesecurity.com
>=20
> --
>=20
>=20
>=20
>=20
>=20
>=20
> -------------------------------------------------------
> This SF.net email is sponsored by: If flattening out C++ or Java
> code to make your application fit in a relational database is=20
> painful,=20
> don't do it! Check out ObjectStore. Now part of Progress Software.
> http://www.objectstore.net/sourceforge
> _______________________________________________
> Snort-users mailing list
> Snort...@lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=3Dsnort-users
>=20
-------------------------------------------------------
This SF.net email is sponsored by: ObjectStore.
If flattening out C++ or Java code to make your application fit in a
relational database is painful, don't do it! Check out ObjectStore.
Now part of Progress Software. http://www.objectstore.net/sourceforge
_______________________________________________
Snort-users mailing list
Snort...@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Ueli Kistler
ARP packets (-a)" option.. this option was removed.. another problem is=20
Syslog support:
workaround when you want to use Syslog:
- Add syslog plugin normally using Output plugins wizard
- Apply
- Go to the Snort configuration file editor panel (Snort.conf).. scroll=20
down until you see something like this.. : output syslog: .....
- Change it to: output syslog: host=3Dmyhost:myport, ....
- Yes it is a comma not a space ;)
A 100% Snort 2.0 supporting version of IDScenter (.. distance, within,=20
byte_jump, byte_test keywords, new inline configuration options.. etc.)=20
is already programmed,
but not released yet. Some other new cool features are: SQL queries for=20
reports (HTML output, DNS queries are done using a very fast=20
multithreaded code (by me .. ;) )).. the SQL queries work even using=20
AlertMail, what's new about alertmail, is also that it is a thread, so=20
the application is no longer blocked for a while.
More details about SQL queries -> HTML output:
- Decoding of packet information
- TCP Flags
- Payload decoding (format: "encoded payload ASCII=3Ddecoded=20
payload"): Hex to Ascii, Base64 to Ascii
- non-printable caracters are replaced by a red `
- etc... ;)
The Ruleset manager can now sort the rules by clicking on the columns=20
(also the classifications can be sorted like this).
I also reviewed some code (bug fixes included).. a Whois lookup is=20
available from the internal logviewer.
Another cool feature is the use of Oinkmaster (perl script by Andreas=20
=D6stling)... IDScenter can write the whole configuration file for you an=
d
has also a HTTP client which checks for new rule updates (Details: using=20
Last-Modified field for this, minimum interval is 15min.. we don't want=20
to slow down www.snort.org)
Concerning Syslog support of Snort: IDScenter 1.1 RC3 (my dev version)=20
does support both.. Snort 1.8/1.9 and Snort 2.0 setup of the syslog=20
plugin...
Ok.. sorry that it's not yet available ;) .. i just wanted to add=20
something else before releasing it..
NOTE: www.packx.net is *no longer* the official site for IDScenter!..=20
The next release is available on www.engagesecurity.com (not online for=20
now).
Regards,
Ueli Kistler
ecl...@engagesecurity.com
www.engagesecurity.com
--
Freddie Soerensen wrote:
>Ueli
>
>Does the present version of IDSCenter work with Snort 2.0 ?
>
>Freddie
>
>
> =20
>
>>-----Urspr=FCngliche Nachricht-----
>>Von: Ueli Kistler [mailto:i...@gmx.ch]=20
>>Gesendet: Montag, 19. Mai 2003 19:26
>>An: McBurnett, Jim
>>Cc: snort...@lists.sourceforge.net
>>Betreff: Re: [Snort-users] Syslog,MySql, IDS Center /Eagle X
>>
>>
>>Hello
>>
>>McBurnett, Jim wrote:
>>
>>.. <snip>
>> =20
>>
>>>I tried to add Syslog to it and Bingo-- It crashes every=20
>>> =20
>>>
>>time it sends
>> =20
>>
>>>a message..
>>>I tried to send to an external syslog.. no go. I tried an=20
>>> =20
>>>
>>on Machine=20
>> =20
>>
>>>Syslog.
>>>No go.. System has 3 NICS, and I am using the 2nd NIC.
>>>
>>> =20
>>>
>>Snort 2.0:
>>add an syslog output plugin in the output plugin wizard..=20
>>then click on=20
>>apply. Now go to "IDS rules" again, where the Snort=20
>>configuration editor=20
>>is (Snort.conf).. scroll down until you find "output syslog: .."
>>
>>now change it to something like this:
>> * output alert_syslog: LOG_AUTH LOG_ALERT
>> * output alert_syslog: host=3Dhostname, LOG_AUTH LOG_ALERT
>> * output alert_syslog: host=3Dhostname:port, LOG_AUTH LOG_ALERT
>>
>>- Save
>>- Click on "Apply"
>>
>>(note from chris reid:
>>For Win32, the remote host/port information has been moved into the
>>snort.conf file. See the "alert_syslog" option in=20
>>snort.conf. The reason
>>for this was to make the command line options more compatible=20
>>with the *nix
>>version of snort.)
>>
>>Regards,
>> Ueli Kistler
>> ecl...@engagesecurity.com
>> www.engagesecurity.com
>>
>>--
>http://www.geocrawler.com/redir-sf.php3?list=3Dort-users
Freddie Soerensen
I didn't mean SnortCenter, but IDSCenter
Freddie
-----Urspr=FCngliche Nachricht-----
Von: Patrick S. Harper [mailto:li...@internetsecurityguru.com]=20
Gesendet: Dienstag, 20. Mai 2003 15:16
An: Freddie Soerensen
Betreff: Re: AW: [Snort-users] Syslog,MySql, IDS Center /Eagle X
Have you looked on the website?
On Mon, 2003-05-19 at 23:27, Freddie Soerensen wrote:
> Ueli
>=20
> Does the present version of IDSCenter work with Snort 2.0 ?
>=20
> Freddie
>=20
>=20
> > -----Urspr=FCngliche Nachricht-----
> > Von: Ueli Kistler [mailto:i...@gmx.ch]
> > Gesendet: Montag, 19. Mai 2003 19:26
> > An: McBurnett, Jim
> > Cc: snort...@lists.sourceforge.net
> > Betreff: Re: [Snort-users] Syslog,MySql, IDS Center /Eagle X
> >=20
> >=20
> > Hello
> >=20
> > McBurnett, Jim wrote:
> >=20
> > .. <snip>
> > >
> > > I tried to add Syslog to it and Bingo-- It crashes every
> > time it sends
> > > a message..
> > > I tried to send to an external syslog.. no go. I tried an
> > on Machine
> > > Syslog.
> > > No go.. System has 3 NICS, and I am using the 2nd NIC.
> > >
> >=20
> > Snort 2.0:
> > add an syslog output plugin in the output plugin wizard..
> > then click on=20
> > apply. Now go to "IDS rules" again, where the Snort=20
> > configuration editor=20
> > is (Snort.conf).. scroll down until you find "output syslog: .."
> >=20
> > now change it to something like this:
> > * output alert_syslog: LOG_AUTH LOG_ALERT
> > * output alert_syslog: host=3Dhostname, LOG_AUTH LOG_ALERT
> > * output alert_syslog: host=3Dhostname:port, LOG_AUTH =
LOG_ALERT
> >=20
> > - Save
> > - Click on "Apply"
> >=20
> > (note from chris reid:
> > For Win32, the remote host/port information has been moved into the=20
> > snort.conf file. See the "alert_syslog" option in snort.conf. The=20
> > reason for this was to make the command line options more compatible
> > with the *nix
> > version of snort.)
> >=20
> > Regards,
> > Ueli Kistler
> > ecl...@engagesecurity.com
> > www.engagesecurity.com
> >=20
> > --
> >=20
> >=20
> >=20
> >=20
> >=20
> >=20
> > -------------------------------------------------------
> > This SF.net email is sponsored by: If flattening out C++ or Java=20
> > code to make your application fit in a relational database is=20
> > painful, don't do it! Check out ObjectStore. Now part of Progress=20
> > Software. http://www.objectstore.net/sourceforge
> > _______________________________________________
> > Snort-users mailing list
> > Snort...@lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=3Dsnort-users
> >=20
>=20
>=20
> -------------------------------------------------------
> This SF.net email is sponsored by: ObjectStore.
> If flattening out C++ or Java code to make your application fit in a
> relational database is painful, don't do it! Check out ObjectStore.
> Now part of Progress Software. http://www.objectstore.net/sourceforge
> _______________________________________________
> Snort-users mailing list
> Snort...@lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=3Dsnort-users