[Dshield] Submitting logs from two devices

Anthony Rodgers Anthony_Rodgers at dnv.org
Sat Feb 10 00:37:57 GMT 2007


Hmm - it seems that the Universal Client only accepts snort.log output, 
rather than snort.alert. This prevents me from using barnyard to 
generate the syslog output from snort, as the barnyard syslog plugin 
only reads the snort.alert files.

Wouldn't it make more sense to use snort.alert output instead?

Regards,
-- 
Anthony Rodgers
Business Systems Analyst
District of North Vancouver
Web: http://www.dnv.org
RSS Feed: http://www.dnv.org/rss.asp


On Feb 8, 2007, at 4:29 PM, Johannes B. Ullrich wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
> should work well if you just run two copies of cvtwin. You can use the
> same userid/account for both copies.
>
>
> Anthony Rodgers wrote:
> > Hi there,
> >
> > Is it acceptable to submit logs from two sources (Internet facing
> > firewall and a snort IDS that resides inside the firewall)? My 
> thinking
> > is that our IDS picks up on badness that gets through our firewall's
> > open ports and therefore might provide some additional useful data.
> >
> > If so, is it sufficient to have two instances of the Universal Client
> > running on a machine, using the same DShield ID?
> >
> > Regards,
>
>
> - --
> - ---------
> Johannes Ullrich                        jullrich at sans.org
> Chief Research Officer                     (617) 639 5000
> http://isc.sans.org
> PGP Key: https://secure.dshield.org/PGPKEYS
>
> "We use [isc.sans.org] every day to keep on top of
>  security at our bank" Matt, Network Administrator.
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.2 (GNU/Linux)
> Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org
>
> iD8DBQFFy8BaPNuXYcm/v/0RAvozAJ9sj3mgr8jpGhkj17xPPGWnk48aFgCfbSq4
> CjAKly6eDdAOq3kJsnDoQvU=
> =cvL3
> -----END PGP SIGNATURE-----
> _________________________________________
>
> SANS 2007 March 29 - April 6 in San Diego, CA offers 52 Courses
> taught by our top rated instructors plus a huge vendor tools expo.
> Register Today! http://www.sans.org/info/2501 (BROCHURECODE: ISC)




More information about the list mailing list