Menu
▾
▴
snort-inline-users — The goal of this list is to help users debug/use snort_inline
You can subscribe to this list here.
| 2003 |
Jan
|
Feb
|
Mar
|
Apr
(1) |
May
(15) |
Jun
(23) |
Jul
(54) |
Aug
(20) |
Sep
(18) |
Oct
(19) |
Nov
(36) |
Dec
(30) |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2004 |
Jan
(48) |
Feb
(16) |
Mar
(36) |
Apr
(36) |
May
(45) |
Jun
(47) |
Jul
(93) |
Aug
(29) |
Sep
(28) |
Oct
(42) |
Nov
(45) |
Dec
(53) |
| 2005 |
Jan
(62) |
Feb
(51) |
Mar
(65) |
Apr
(28) |
May
(57) |
Jun
(23) |
Jul
(24) |
Aug
(72) |
Sep
(16) |
Oct
(53) |
Nov
(53) |
Dec
(3) |
| 2006 |
Jan
(56) |
Feb
(6) |
Mar
(15) |
Apr
(14) |
May
(35) |
Jun
(57) |
Jul
(35) |
Aug
(7) |
Sep
(22) |
Oct
(16) |
Nov
(18) |
Dec
(9) |
| 2007 |
Jan
(8) |
Feb
(3) |
Mar
(11) |
Apr
(35) |
May
(6) |
Jun
(10) |
Jul
(26) |
Aug
(4) |
Sep
|
Oct
(29) |
Nov
|
Dec
(7) |
| 2008 |
Jan
(1) |
Feb
(2) |
Mar
(2) |
Apr
(13) |
May
(8) |
Jun
(3) |
Jul
(19) |
Aug
(20) |
Sep
(6) |
Oct
(5) |
Nov
|
Dec
(4) |
| 2009 |
Jan
(1) |
Feb
|
Mar
(1) |
Apr
|
May
|
Jun
(10) |
Jul
(2) |
Aug
(5) |
Sep
|
Oct
(1) |
Nov
|
Dec
(5) |
| 2010 |
Jan
(10) |
Feb
(10) |
Mar
(2) |
Apr
|
May
(7) |
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
(1) |
Dec
|
| 2011 |
Jan
|
Feb
(4) |
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
| 2012 |
Jan
|
Feb
|
Mar
|
Apr
(1) |
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
| 2013 |
Jan
|
Feb
(2) |
Mar
(3) |
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
|
From: <ko...@in...> - 2005-08-22 08:47:21
|
Some time ago I reimplemented snort-inline on Linux so it uses TUN/TAP virtual net interfaces instead of IPQUEUE, so it should be possible to ru= n several instances of snort-inline. Although it can't REJECT yet (workaround on iptables level is possible) and it's almost untested (the development was stopped), it's usable - and is able to solve your problem= . Are you (or anybody else from snort-inline community) interested in the patch/code? VlK >> This is a ip_queue limitation, not a snort-inline limitation. NFQUEUE >> which will be included in the 2.6.14 kernel will support multiple >> queue targets, hence you will be able to run multiple instances of >> snort-inline once we add support for it ;-). >> >> Regards, >> >> Will >> >> On 8/19/05, Sanjai Narain <na...@re...> wrote: >>> We have two independently developed snortinline applications that we'= d >>> now >>> like to run on the same interface. Is this possible via snort >>> configuration, or do we have to merge the source code in the >>> preprocessors >>> directory and rebuild a single application? I would greatly appreciat= e >>> any >>> assistance. >>> >>> We tried starting up both snort binaries on the same interface but go= t >>> an >>> error (I believe it was resource busy). However, if we run two copie= s >>> of >>> the non-inline Snort applications on the same interface, there is no >>> error. >>> >>> Thanks. -- >>> Sanjai Narain >>> Senior Research Scientist >>> Telcordia Technologies |
|
From: Sanjai N. <na...@re...> - 2005-08-22 03:53:09
|
Nick: Thanks for pointing this out. We are running on Linux only, but your point is quite interesting. Regards. -- Sanjai On Sun, 21 Aug 2005, Nick Rogness wrote: > >> This is a ip_queue limitation, not a snort-inline limitation. NFQUEUE >> which will be included in the 2.6.14 kernel will support multiple >> queue targets, hence you will be able to run multiple instances of >> snort-inline once we add support for it ;-). >> > > If your application is not platform specific, you could accomplish this > with snort_inline on FreeBSD (which doesn't have this limitation). > > >> Regards, >> >> Will >> >> On 8/19/05, Sanjai Narain <na...@re...> wrote: >>> We have two independently developed snortinline applications that we'd >>> now >>> like to run on the same interface. Is this possible via snort >>> configuration, or do we have to merge the source code in the >>> preprocessors >>> directory and rebuild a single application? I would greatly appreciate >>> any >>> assistance. >>> >>> We tried starting up both snort binaries on the same interface but got >>> an >>> error (I believe it was resource busy). However, if we run two copies >>> of >>> the non-inline Snort applications on the same interface, there is no >>> error. >>> >>> Thanks. -- >>> Sanjai Narain >>> Senior Research Scientist >>> Telcordia Technologies >>> >>> >>> >>> > > > Nick Rogness <ni...@ro...> > > |
|
From: Nick R. <ni...@ro...> - 2005-08-22 03:49:37
|
> This is a ip_queue limitation, not a snort-inline limitation. NFQUEUE > which will be included in the 2.6.14 kernel will support multiple > queue targets, hence you will be able to run multiple instances of > snort-inline once we add support for it ;-). > If your application is not platform specific, you could accomplish this with snort_inline on FreeBSD (which doesn't have this limitation). > Regards, > > Will > > On 8/19/05, Sanjai Narain <na...@re...> wrote: >> We have two independently developed snortinline applications that we'd >> now >> like to run on the same interface. Is this possible via snort >> configuration, or do we have to merge the source code in the >> preprocessors >> directory and rebuild a single application? I would greatly appreciate >> any >> assistance. >> >> We tried starting up both snort binaries on the same interface but got >> an >> error (I believe it was resource busy). However, if we run two copies >> of >> the non-inline Snort applications on the same interface, there is no >> error. >> >> Thanks. -- >> Sanjai Narain >> Senior Research Scientist >> Telcordia Technologies >> >> >> >> Nick Rogness <ni...@ro...> |
|
From: Sanjai N. <na...@re...> - 2005-08-21 13:07:44
|
Thanks, Will. I appreciate your informative reply. -- Sanjai On Sat, 20 Aug 2005, Will Metcalf wrote: > This is a ip_queue limitation, not a snort-inline limitation. NFQUEUE > which will be included in the 2.6.14 kernel will support multiple > queue targets, hence you will be able to run multiple instances of > snort-inline once we add support for it ;-). > > Regards, > > Will > > On 8/19/05, Sanjai Narain <na...@re...> wrote: >> We have two independently developed snortinline applications that we'd now >> like to run on the same interface. Is this possible via snort >> configuration, or do we have to merge the source code in the preprocessors >> directory and rebuild a single application? I would greatly appreciate any >> assistance. >> >> We tried starting up both snort binaries on the same interface but got an >> error (I believe it was resource busy). However, if we run two copies of >> the non-inline Snort applications on the same interface, there is no error. >> >> Thanks. -- >> Sanjai Narain >> Senior Research Scientist >> Telcordia Technologies >> >> >> >> >> >> ------------------------------------------------------- >> SF.Net email is Sponsored by the Better Software Conference & EXPO >> September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices >> Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA >> Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf >> _______________________________________________ >> Snort-inline-users mailing list >> Sno...@li... >> https://lists.sourceforge.net/lists/listinfo/snort-inline-users >> > |
|
From: Will M. <wil...@gm...> - 2005-08-20 22:15:56
|
This is a ip_queue limitation, not a snort-inline limitation. NFQUEUE which will be included in the 2.6.14 kernel will support multiple queue targets, hence you will be able to run multiple instances of snort-inline once we add support for it ;-). Regards, Will On 8/19/05, Sanjai Narain <na...@re...> wrote: > We have two independently developed snortinline applications that we'd no= w > like to run on the same interface. Is this possible via snort > configuration, or do we have to merge the source code in the preprocessor= s > directory and rebuild a single application? I would greatly appreciate an= y > assistance. >=20 > We tried starting up both snort binaries on the same interface but got an > error (I believe it was resource busy). However, if we run two copies of > the non-inline Snort applications on the same interface, there is no erro= r. >=20 > Thanks. -- > Sanjai Narain > Senior Research Scientist > Telcordia Technologies >=20 >=20 >=20 >=20 >=20 > ------------------------------------------------------- > SF.Net email is Sponsored by the Better Software Conference & EXPO > September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practic= es > Agile & Plan-Driven Development * Managing Projects & Teams * Testing & Q= A > Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf > _______________________________________________ > Snort-inline-users mailing list > Sno...@li... > https://lists.sourceforge.net/lists/listinfo/snort-inline-users > |
|
From: Sanjai N. <na...@re...> - 2005-08-19 22:42:05
|
We have two independently developed snortinline applications that we'd now like to run on the same interface. Is this possible via snort configuration, or do we have to merge the source code in the preprocessors directory and rebuild a single application? I would greatly appreciate any assistance. We tried starting up both snort binaries on the same interface but got an error (I believe it was resource busy). However, if we run two copies of the non-inline Snort applications on the same interface, there is no error. Thanks. -- Sanjai Narain Senior Research Scientist Telcordia Technologies |
|
From: Will M. <wil...@gm...> - 2005-08-19 19:42:58
|
most distributions have it included in the iptables-dev or iptables-devel packages. Otherwise you need to do a make install-devel=20 when installing iptables from source. Regards, Will On 8/19/05, Adayadil Thomas <ada...@gm...> wrote: > Greetings. >=20 > What is the latest version of libipq ? > Where can I download that ? >=20 > Thanks a lot >=20 >=20 > ------------------------------------------------------- > SF.Net email is Sponsored by the Better Software Conference & EXPO > September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practic= es > Agile & Plan-Driven Development * Managing Projects & Teams * Testing & Q= A > Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf > _______________________________________________ > Snort-inline-users mailing list > Sno...@li... > https://lists.sourceforge.net/lists/listinfo/snort-inline-users > |
|
From: Adayadil T. <ada...@gm...> - 2005-08-19 16:44:24
|
Greetings. What is the latest version of libipq ? Where can I download that ? Thanks a lot |
|
From: Will M. <wil...@gm...> - 2005-08-19 15:04:00
|
preprocessor stream4: disable_evasion_alerts, iptablesnewmark, iptablesestmart, forceipstate should be=20 preprocessor stream4: disable_evasion_alerts,iptablesnewmark ,iptablesestmark ,forceiptstate $IPTABLES -A FORWARD -p tcp --dport 8080 -m state --state NEW -j QUEUE $IPTABLES -A FORWARD -p tcp --sport 8080 -m state --state ESTABLISHED -j QU= EUE should be something like $IPTABLES -t mangle -A FORWARD -p tcp --syn -m state --state NEW --dport 8080 -j MARK --set-mark 1 $IPTABLES -t mangle -A FORWARD -p tcp -m state --state ESTABLISHED --sport 8080 -j MARK --set-mark 2 $IPTABLES -I FORWARD -m mark --mark 1 -j QUEUE $IPTABLES -I FORWARD -m mark --mark 2 -j QUEUE clamav is not detected over http due to a change in the clamav sig for eicar. The new sig only looks for the eicar string within the first couple bytes of the fd buffer whatever. Once you add all of the http header stuff the string is no longer contained witihin the first couple bytes. Regards, Will On 8/19/05, Holger Moskopp <gan...@mo...> wrote: > Hello, >=20 > I played around with my Snort-inline on the Firewall > on a debian sarge 3.1 >=20 > I started it with: >=20 > ./snort-inline -Qvc /opt/snort-inline/etc/snort-inline/snort_inline.conf >=20 > Here my snort-inline.conf: > Only some lines chaned > http://www.ganeymed.de/pixx/fw_ids/snort-inline-conf.htm >=20 > We got proxy-force here so all http go over our httpproxy. > I tryed to give all that traffic to snort-inline. > Here is my Firewallscript (i marked the snortspecific part red): > http://www.ganeymed.de/pixx/fw_ids/snorttest_sh.htm >=20 > Then i Started snort in adition 2&>/tmp/test send it all to a testfile: > http://www.ganeymed.de/pixx/fw_ids/test_aus_temp.htm >=20 > The startup-looks good to me, but > on the bottom, you can see a connection of MY_IP to the Proxy. > But no traffic that come back. But all work. I can visit websides > from behind the firewall. >=20 > Also - how can i test snort inline. > I tryed eicar.com - but notching was blocked. >=20 > How can i test, if clamav work together with snort-inline? >=20 > Thank you > Best regards > Holger Moskopp >=20 >=20 >=20 >=20 > ------------------------------------------------------- > SF.Net email is Sponsored by the Better Software Conference & EXPO > September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practic= es > Agile & Plan-Driven Development * Managing Projects & Teams * Testing & Q= A > Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf > _______________________________________________ > Snort-inline-users mailing list > Sno...@li... > https://lists.sourceforge.net/lists/listinfo/snort-inline-users > |
|
From: Will M. <wil...@gm...> - 2005-08-19 14:33:22
|
snort-inline supports logging to a database, just copy the line that deals with database output from snort.conf to snort-inline.conf and modify it fit your environment. Regards, Will On 8/19/05, Holger Moskopp <gan...@mo...> wrote: > Hello, > =20 > my Name is Holger Moskopp, i=B4m student at the=20 > FH-Cologne and working on my thesis. The topic is,=20 > to build a security solution for an experimantalnetwork=20 > with special consideration of VoIP aplications > (for that is the DMZ with a SIP/RTP proxy)=20 > =20 > Im also new to that Mailinglist, and i never was before=20 > Member of a Mailinglist.=20 > =20 > I have a separate computer with three Ethernetcards as Firewall.=20 > eth0 for the external net eth2 for the internal net eth1 for my DMZ=20 > On that Computer i installed snort-inline.2.2.0a > =20 > I want to send all the snort-inline logs to a MYSQL database in the=20 > internal net. So i configured snort-inline like that:=20 > =20 > ./configure --/prefix=3D/opt/snort-inline/=20 > --with-libipq-includes=3D/usr/include/libipq=20 > --enable-flexresp=20 > --enable-inline=20 > --enable-clamav=20 > --with-mysql=20 > =20 > all went well with the make and make install. > =20 > I copied all files from /etc and the rules.=20 > =20 > But how can i say snort-inline, where the mysql database is?=20 > There is a snort.conf and a snort-inline.conf.=20 > In the snort.conf is a posiblity to tell snort a output database.=20 > But not in the snort-inline.conf.=20 > Have i to do it in the snort.conf, or have i to copy that line in=20 > the snort-inline.conf - is the snort.conf needed?=20 > If yes - take all changings there the same effect like in=20 > several Howtos described?=20 > =20 > =20 > Thank You > Best regards > Holger Moskopp > =20 > =20 > |
|
From: Ken G. <ken...@ro...> - 2005-08-19 13:46:50
|
define 'real-equipment' for me. ;) Will Metcalf wrote: >hogwash, but it hasn't been updated in a while........ What? You don't >like our project ;-) > >http://hogwash.sf.net > >http://www.sf.net/projects/hogwash > >I'm still waiting for somebody with some real equipment to do >performance measurements of snort-inline. Any takers? > >Regards, > >Will > >On 8/18/05, Adayadil Thomas <ada...@gm...> wrote: > > >>Greetings. >> >>- Besides Snort-inline, are there any other open source IPS solutions ? >> >>Are there any comparisons between snort-inline performance on linux >>and *bsd available ? >> >>Any information is appreciated. >> >>Thanks >> >> >>------------------------------------------------------- >>SF.Net email is Sponsored by the Better Software Conference & EXPO >>September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices >>Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA >>Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf >>_______________________________________________ >>Snort-inline-users mailing list >>Sno...@li... >>https://lists.sourceforge.net/lists/listinfo/snort-inline-users >> >> >> > > >------------------------------------------------------- >SF.Net email is Sponsored by the Better Software Conference & EXPO >September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices >Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA >Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf >_______________________________________________ >Snort-inline-users mailing list >Sno...@li... >https://lists.sourceforge.net/lists/listinfo/snort-inline-users > > |
|
From: Holger M. <gan...@mo...> - 2005-08-19 09:21:07
|
Hello, I played around with my Snort-inline on the Firewall on a debian sarge 3.1 I started it with: ./snort-inline -Qvc /opt/snort-inline/etc/snort-inline/snort_inline.conf Here my snort-inline.conf: Only some lines chaned http://www.ganeymed.de/pixx/fw_ids/snort-inline-conf.htm We got proxy-force here so all http go over our httpproxy. I tryed to give all that traffic to snort-inline. Here is my Firewallscript (i marked the snortspecific part red): http://www.ganeymed.de/pixx/fw_ids/snorttest_sh.htm Then i Started snort in adition 2&>/tmp/test send it all to a testfile: http://www.ganeymed.de/pixx/fw_ids/test_aus_temp.htm The startup-looks good to me, but on the bottom, you can see a connection of MY_IP to the Proxy. But no traffic that come back. But all work. I can visit websides from behind the firewall. Also - how can i test snort inline. I tryed eicar.com - but notching was blocked. How can i test, if clamav work together with snort-inline? Thank you Best regards Holger Moskopp |
|
From: Holger M. <gan...@mo...> - 2005-08-19 08:44:00
|
Hello, my Name is Holger Moskopp, i?m student at the FH-Cologne and working on my thesis. The topic is, to build a security solution for an experimantalnetwork with special consideration of VoIP aplications (for that is the DMZ with a SIP/RTP proxy) Im also new to that Mailinglist, and i never was before Member of a Mailinglist. I have a separate computer with three Ethernetcards as Firewall. eth0 for the external net eth2 for the internal net eth1 for my DMZ On that Computer i installed snort-inline.2.2.0a I want to send all the snort-inline logs to a MYSQL database in the internal net. So i configured snort-inline like that: ./configure --/prefix=/opt/snort-inline/ --with-libipq-includes=/usr/include/libipq --enable-flexresp --enable-inline --enable-clamav --with-mysql all went well with the make and make install. I copied all files from /etc and the rules. But how can i say snort-inline, where the mysql database is? There is a snort.conf and a snort-inline.conf. In the snort.conf is a posiblity to tell snort a output database. But not in the snort-inline.conf. Have i to do it in the snort.conf, or have i to copy that line in the snort-inline.conf - is the snort.conf needed? If yes - take all changings there the same effect like in several Howtos described? Thank You Best regards Holger Moskopp |
|
From: Will M. <wil...@gm...> - 2005-08-18 21:48:22
|
hogwash, but it hasn't been updated in a while........ What? You don't like our project ;-) http://hogwash.sf.net http://www.sf.net/projects/hogwash I'm still waiting for somebody with some real equipment to do performance measurements of snort-inline. Any takers? Regards, Will On 8/18/05, Adayadil Thomas <ada...@gm...> wrote: > Greetings. >=20 > - Besides Snort-inline, are there any other open source IPS solutions ? >=20 > Are there any comparisons between snort-inline performance on linux > and *bsd available ? >=20 > Any information is appreciated. >=20 > Thanks >=20 >=20 > ------------------------------------------------------- > SF.Net email is Sponsored by the Better Software Conference & EXPO > September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practic= es > Agile & Plan-Driven Development * Managing Projects & Teams * Testing & Q= A > Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf > _______________________________________________ > Snort-inline-users mailing list > Sno...@li... > https://lists.sourceforge.net/lists/listinfo/snort-inline-users > |
|
From: Adayadil T. <ada...@gm...> - 2005-08-18 21:34:48
|
Greetings. - Besides Snort-inline, are there any other open source IPS solutions ? Are there any comparisons between snort-inline performance on linux and *bsd available ? Any information is appreciated. Thanks |
|
From: Ken G. <ken...@ro...> - 2005-08-11 18:15:45
|
I was able to get it working finally, this is how: commandline: snort-inline -D -c /etc/snort_inline/snort_inline.conf -Q -l /var/log/snort_inline/20050811 -t /var/log/snort_inline snort_inline.conf: output alert_fast: LOG_ALERT output alert_syslog: LOG_ALERT syslog.conf: *.*;kern.none @10.1.14.12 Ken Garland wrote: > Nick Rogness wrote: > >>> I have this in the snort_inline.conf: >>> >>> output alert_syslog: LOG_AUTH LOG_ALERT >>> >>> Here is the commandline I'm using to run snort: >>> >>> snort-inline -D -c /etc/snort_inline/snort_inline.conf -Q -l >>> /var/log/alert -t /var/log/snort_inline >>> >>> How can I get /var/log/alert to be sent to a remote syslog server? Or >>> can I get those alerts to be controlled by syslog? >>> >>> What I am trying to achieve is get the snort logs into a remote syslog >>> server. >>> >> >> >> From the user manual: >> >> output alert_syslog: [host=<hostname[:<port>],] <facility> <priority> >> >> e.g.: >> >> output alert_syslog: host=1.2.3.4:514 LOG_AUTH LOG_ALERT >> >> >> >> >> > Thanks! Ya, those docs sure do come in handy! > > ::hits self over head:: > > - Ken > > > ------------------------------------------------------- > SF.Net email is Sponsored by the Better Software Conference & EXPO > September 19-22, 2005 * San Francisco, CA * Development Lifecycle > Practices > Agile & Plan-Driven Development * Managing Projects & Teams * Testing > & QA > Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf > _______________________________________________ > Snort-inline-users mailing list > Sno...@li... > https://lists.sourceforge.net/lists/listinfo/snort-inline-users |
|
From: Ken G. <ken...@ro...> - 2005-08-11 17:08:13
|
Nick Rogness wrote: >>I have this in the snort_inline.conf: >> >>output alert_syslog: LOG_AUTH LOG_ALERT >> >>Here is the commandline I'm using to run snort: >> >>snort-inline -D -c /etc/snort_inline/snort_inline.conf -Q -l >>/var/log/alert -t /var/log/snort_inline >> >>How can I get /var/log/alert to be sent to a remote syslog server? Or >>can I get those alerts to be controlled by syslog? >> >>What I am trying to achieve is get the snort logs into a remote syslog >>server. >> >> > > From the user manual: > > output alert_syslog: [host=<hostname[:<port>],] <facility> <priority> > > e.g.: > > output alert_syslog: host=1.2.3.4:514 LOG_AUTH LOG_ALERT > > > > > Thanks! Ya, those docs sure do come in handy! ::hits self over head:: - Ken |
|
From: Nick R. <ni...@ro...> - 2005-08-11 17:05:07
|
> I have this in the snort_inline.conf: > > output alert_syslog: LOG_AUTH LOG_ALERT > > Here is the commandline I'm using to run snort: > > snort-inline -D -c /etc/snort_inline/snort_inline.conf -Q -l > /var/log/alert -t /var/log/snort_inline > > How can I get /var/log/alert to be sent to a remote syslog server? Or > can I get those alerts to be controlled by syslog? > > What I am trying to achieve is get the snort logs into a remote syslog > server. From the user manual: output alert_syslog: [host=<hostname[:<port>],] <facility> <priority> e.g.: output alert_syslog: host=1.2.3.4:514 LOG_AUTH LOG_ALERT |
|
From: Ken G. <ken...@ro...> - 2005-08-11 15:45:40
|
I have this in the snort_inline.conf: output alert_syslog: LOG_AUTH LOG_ALERT Here is the commandline I'm using to run snort: snort-inline -D -c /etc/snort_inline/snort_inline.conf -Q -l /var/log/alert -t /var/log/snort_inline How can I get /var/log/alert to be sent to a remote syslog server? Or can I get those alerts to be controlled by syslog? What I am trying to achieve is get the snort logs into a remote syslog server. - Ken Ken Garland wrote: > How can I send it to a syslog server? > > Javier Reyna Padilla wrote: > >> You can send it to a syslog server, or maybe you want to log to a DB, >> but I do not Know If you can lof portscan2 remotely I think it did >> not use syslog. >> >> Ken Garland wrote: >> >>> I would like snort to send it's logs out remotely, how can I do that? >>> >>> >>> ------------------------------------------------------- >>> SF.Net email is Sponsored by the Better Software Conference & EXPO >>> September 19-22, 2005 * San Francisco, CA * Development Lifecycle >>> Practices >>> Agile & Plan-Driven Development * Managing Projects & Teams * >>> Testing & QA >>> Security * Process Improvement & Measurement * >>> http://www.sqe.com/bsce5sf >>> _______________________________________________ >>> Snort-inline-users mailing list >>> Sno...@li... >>> https://lists.sourceforge.net/lists/listinfo/snort-inline-users >>> >> >> > > > > ------------------------------------------------------- > SF.Net email is Sponsored by the Better Software Conference & EXPO > September 19-22, 2005 * San Francisco, CA * Development Lifecycle > Practices > Agile & Plan-Driven Development * Managing Projects & Teams * Testing > & QA > Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf > _______________________________________________ > Snort-inline-users mailing list > Sno...@li... > https://lists.sourceforge.net/lists/listinfo/snort-inline-users |
|
From: Ken G. <ken...@ro...> - 2005-08-11 14:55:45
|
How can I send it to a syslog server? Javier Reyna Padilla wrote: > You can send it to a syslog server, or maybe you want to log to a DB, > but I do not Know If you can lof portscan2 remotely I think it did not > use syslog. > > Ken Garland wrote: > >> I would like snort to send it's logs out remotely, how can I do that? >> >> >> ------------------------------------------------------- >> SF.Net email is Sponsored by the Better Software Conference & EXPO >> September 19-22, 2005 * San Francisco, CA * Development Lifecycle >> Practices >> Agile & Plan-Driven Development * Managing Projects & Teams * Testing >> & QA >> Security * Process Improvement & Measurement * >> http://www.sqe.com/bsce5sf >> _______________________________________________ >> Snort-inline-users mailing list >> Sno...@li... >> https://lists.sourceforge.net/lists/listinfo/snort-inline-users >> > > |
|
From: Javier R. P. <jr...@on...> - 2005-08-11 14:49:49
|
You can send it to a syslog server, or maybe you want to log to a DB,=20 but I do not Know If you can lof portscan2 remotely I think it did not=20 use syslog. Ken Garland wrote: > I would like snort to send it's logs out remotely, how can I do that? > > > ------------------------------------------------------- > SF.Net email is Sponsored by the Better Software Conference & EXPO > September 19-22, 2005 * San Francisco, CA * Development Lifecycle=20 > Practices > Agile & Plan-Driven Development * Managing Projects & Teams * Testing=20 > & QA > Security * Process Improvement & Measurement * http://www.sqe.com/bsce5= sf > _______________________________________________ > Snort-inline-users mailing list > Sno...@li... > https://lists.sourceforge.net/lists/listinfo/snort-inline-users > --=20 -------------------------- Javier Reyna Padilla Consultor de Seguridad Onlinet S.A. de C.V. Casma 594 Col. Lindavista C.P. 07300 M=E9xico D.F. Tel. (55) 55862613 Nextel: 24885934 ID: 45973*20 Cel: 044 55 28660731 http://www.onlinet.com.mx --------------------------- |
|
From: Ken G. <ken...@ro...> - 2005-08-11 14:44:23
|
I would like snort to send it's logs out remotely, how can I do that? |
|
From: Pieter V. <pv...@ab...> - 2005-08-11 08:11:56
|
Hi, I was trying to block MSN access using snort . I noticed rules in the chat.rules file. However MSN 7 uses different ports/mechanismes. Ie. it first tries on TCP port 1863 which is listed in chat.rules. If this doesn't succeeds it uses HTTP(s) which succeeded. Tried modifying the existing rules for port 80 as port 443 is encrypted, but it didn't work. Has anyone rules for blocking MSN 7? It seems msn 7 can fully work using HTTP(s),i.e. send attachments/audio/video/chat. kind regards, Pieter -- NEW: aXs GUARD hands-on Trainings v.7.0 more info at http://www.axsguard.com/indextraining.htm aXs GUARD has completed security and anti-virus checks on this e-mail (http://www.axsguard.com) --------------------------------------------------- Able NV: ond.nr 0457.938.087 |
|
From: Will M. <wil...@gm...> - 2005-08-10 13:16:45
|
On 8/10/05, Pieter Vanmeerbeek <pv...@ab...> wrote: > After some experimenting I chose Snort-inline over snort with flex resp. >=20 > I've still got a question about the drop target. >=20 > When I set a rule with a drop target packets are stopped. When I replace > the drop with alert packets are still dropped; After a while the packets > arrive without doing anything. Then something isn't right in your config somewhere. Alert rules just alert, drop rules drop and alert, sdrop drops and does not alert, and reject alerts, drops, and sends a reset. =20 > Thus my question, is there a special timing for the drop target? I.e > once packets are dropped due to a rule, they are still dropped for X > seconds even if the rule was removed? ummmm, you have to restart snort_inline if you make modifcations to the rules. This is true of vanilla snort as well. =20 > After rule modification snort is restarted ( stopped by special > watchdog, config snort.conf is rewritten, and started by special watchdog= ). >=20 > Changes from alert to pass or the way around are activated immediatly. >=20 > kind regards, > Pieter > Able >=20 > -- > Pieter Vanmeerbeek > R&D Engineer > --------------------------------------------------- > Able N.V. Tel: +32(0)15 50.44.00 > Dellingstraat 28b Fax: +32(0)15.50.44.09 > B-2800 Mechelen > http://www.axsguard.com http://www.doITsafe.net >=20 > aXs GUARD - internet communication appliance > --------------------------------------------------- >=20 > -- > NEW: aXs GUARD hands-on Trainings v.7.0 > more info at http://www.axsguard.com/indextraining.htm >=20 > aXs GUARD has completed security and anti-virus checks on this e-mail > (http://www.axsguard.com) > --------------------------------------------------- > Able NV: ond.nr 0457.938.087 >=20 >=20 > ------------------------------------------------------- > SF.Net email is Sponsored by the Better Software Conference & EXPO > September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practic= es > Agile & Plan-Driven Development * Managing Projects & Teams * Testing & Q= A > Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf > _______________________________________________ > Snort-inline-users mailing list > Sno...@li... > https://lists.sourceforge.net/lists/listinfo/snort-inline-users > |
|
From: Pieter V. <pv...@ab...> - 2005-08-10 13:03:08
|
After some experimenting I chose Snort-inline over snort with flex resp. I've still got a question about the drop target. When I set a rule with a drop target packets are stopped. When I replace the drop with alert packets are still dropped; After a while the packets arrive without doing anything. Thus my question, is there a special timing for the drop target? I.e once packets are dropped due to a rule, they are still dropped for X seconds even if the rule was removed? After rule modification snort is restarted ( stopped by special watchdog, config snort.conf is rewritten, and started by special watchdog). Changes from alert to pass or the way around are activated immediatly. kind regards, Pieter Able -- Pieter Vanmeerbeek R&D Engineer --------------------------------------------------- Able N.V. Tel: +32(0)15 50.44.00 Dellingstraat 28b Fax: +32(0)15.50.44.09 B-2800 Mechelen http://www.axsguard.com http://www.doITsafe.net aXs GUARD - internet communication appliance --------------------------------------------------- -- NEW: aXs GUARD hands-on Trainings v.7.0 more info at http://www.axsguard.com/indextraining.htm aXs GUARD has completed security and anti-virus checks on this e-mail (http://www.axsguard.com) --------------------------------------------------- Able NV: ond.nr 0457.938.087 |
133 messages has been excluded from this view by a project administrator.
