snort logging
Results 1 to 4 of 4

Thread: snort logging

  1. #1
    AO übergeek phishphreek's Avatar
    Join Date
    Jan 2002
    Posts
    4,324

    snort logging

    Is there a way to log certain signatures/alerts to a specific log file or database using one instance of snort or one config?

    Example:

    I want to log all SPYWARE-DNS DNS lookup (part of the blackhole dns project) to a file and exclude them from being logged to my main alert database.

    These rules are located @ http://www.bleedingsnort.com/blackho...ware-dns.rules

    I'm currently running instance of snort with three rulesets.

    The official set http://www.snort.org/
    The community set http://www.snort.org/
    Bleeding Snort set http://www.bleedingsnort.com/

    In addition, I just want the blackhole dns just to see if/when any boxes look up spyware domains.

    I have this running, but I'd like it in either a separate database or log.

    I'm thinking that I should just create a new config and run a separate instance of snort?
    Will that cause problems running two instances of snort on one interface?
    Or, should I install yet another NIC just for that config?
    Quitmzilla is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.

  2. #2
    Senior Member Opus00's Avatar
    Join Date
    May 2005
    Posts
    144
    Have you looked at trying to use the ruletype option for snort? I believe you can create a ruletype that defines a spyware ruletype

    ruletype spyware
    {
    type log
    output log_tcpdump: spyware.log
    }

    then use the rule type as an action.

    spyware tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE what ever"; flow: established,to_server; uricontent:"spyware.exe"; nocase; reference: url,spyware.com; classtype: trojan-activity; sid: 111111111; rev:1; )

    I am guessing, hadn't really tried it myself, but reading the documentation on snort.org, this is how I interpet it.

    http://www.snort.org/docs/snort_htma...60/node17.html
    There are two rules for success in life:
    Rule 1: Don't tell people everything you know.

  3. #3
    AO übergeek phishphreek's Avatar
    Join Date
    Jan 2002
    Posts
    4,324
    No, I have not looked into that. I didn't realize that was there...
    I was looking more in the output section of the docs.

    Thanks for pointing that out. I'll play around with it and see what I can come up with.
    Quitmzilla is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.

  4. #4
    StOrM™
    Join Date
    Aug 2004
    Posts
    1,003
    Greeting's

    You must spread your AntiPoints around before giving it to Opus00 again.
    Parth Maniar,
    CISSP, CISM, CISA, SSCP

    *Thank you GOD*

    Greater the Difficulty, SWEETER the Victory.

    Believe in yourself.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •