How do I have Snort(running on an Ubuntu computer) send its output data to another computer on the same network?

jhammett52
jhammett52 used Ask the Experts™
on
Basically, I'm fairly new to IDS and I have a need for Snort's output data(including both the logs and alerts if possible) to be sent to another computer on the same network. To make it easy to receive help, I have a fresh install of Snort on one computer(Ubuntu).

Also, the computer that will be receiving the data is a Windows XP(not sure if this complicates things). I was told syslog will be a must on the station receiving and analyzing the data, but I also have no experience with that.

If someone could at least explain the theory behind doing this or perhaps link me to an article or guide that would be amazing!

Thanks in advance for the assistance!
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
I'm not sure exactly what you need, but here  ( http://wiki.imagestream.com/wiki/Snort/Install ) are some folks using Windows for at least some of it ;-)

Cheers,
-Jon
Commented:
I'm not sure how to get windows to capture the data, but generally you tell snort to send it's output to syslog by adding a line like:

output alert_syslog: LOG_LOCAL7 LOG_ALERT

Then you go into your syslog configuration and tell it to send the snort data to your central logging server, I used syslog-ng to accomplish this

Then you'd configure  your central logging server (the receiving machine) to capture external data sent to whatever protocol and port you specified on the transmitting machine.
at which point it would create a directory for that system and begin logging the data it receives.

http://www.softpanorama.org/Logs/Syslog_ng/configuration_examples.shtml
http://www.softpanorama.org/Logs/Syslog_ng/filter_functions_with_examples.shtml
the above links lists some examples of configurations

Author

Commented:
Thank you both for answering. I'm going to try your solution, CodeC6, and let you know how it works out.

Author

Commented:
CodeC6 explained how to do what I needed

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial