2003-03-17T17:04:15 "Héroux, Christian": > I have few network device that can't be in my management > network. Could you expand on that? I've got some of my sensors with mgmt interfaces on various management nets, with various restrictions of connectivity. The "few network device" you're talking about, are they your snort sensors, or are they something else? > I read about stealth logging using snort but it seem limited. I have trouble seeing how it'd be related to this topic. The stealth logging stuff I've read uses snort (I'm not sure why, I think ngrep would be a better-shaped tool myself) to suck log data off a net with promisc sniffing, so the logserver can be invisible. Doesn't help address lacking network connectivity, just lets you aim your syslog messages off into space, and have a hidden logsucker pluck them off the wire. > I can collect packet by port span (cisco). So do I. It's a popular connection mechanism. I use it everywhere I can; only where there's no device capable of spanning do I use a network tap. > Snort get the syslog packet [...] So it does sound like you are pursuing the stealth logging stuff. You'll have to describe your exact architecture better for us to give you detailed suggestions. > [...] but I can't send the payload ( syslog message) with snort > syslog output. That's right; as Jeffrey Lawhorn said, packet payloads (like e.g. syslog messages) aren't included in snort's syslog output. You need a different tool, or else a helper tool. You can either ditch snort for this application altogether, and go with ngrep plus some more glue, or else you can arrange to run ngrep over the pcap files that snort writes. I'd just use ngrep instead of snort for this application, that'd be simpler. > The only thing I can do is to log the payload in a file. That's right, that's all snort does with packet payloads. > There is any tool that would read a file and send the > content to a syslog server? ngrep can read the file, I'm sure other tools can do the job as well, but the hard part is automagically tailing snort's pcap logfile and making sure the log-tailer moves on to the next one when snort switches logfiles. Easier to just run ngrep alongside (or instead of) snort, directly sniffing the wire. While I haven't done this, I believe the invocation you're looking for is something along the lines of ngrep -q port syslog | ... where ... is a program that (a) pulls out the syslog lines (begin with " <", strip off the two leading spaces); (b) pulls out the priority as an integer (stripping off the priority as well as its surrounding angle brackets, leaving only the actual message); decodes the priority; and re-injects the result into syslog. If you want to build such a thing, I have some pieces lying around the shop that you may find helpful; at <URL:http://bent.latency.net/selp-perl-0.1.tar.bz2> I've got a proof-of-concept implementation of a syslog-over-tcp protocol in perl, and it has in it pretty simple syslog priority encoder/decoder functions. Once you've hauled the priority and message off the wire, you can use Sys::Syslog to re-forward the messages. -Bennett
This archive was generated by hypermail 2b30 : Wed Mar 19 2003 - 10:56:37 PST