1 00:00:00,05 --> 00:00:02,00 - [Instructor] In this lesson, 2 00:00:02,00 --> 00:00:05,08 we'll configure snort to forward its log messages 3 00:00:05,08 --> 00:00:08,04 to a syslog ng server. 4 00:00:08,04 --> 00:00:13,00 Let's modify the snort configuration file. 5 00:00:13,00 --> 00:00:15,01 Type CD, 6 00:00:15,01 --> 00:00:16,08 space, 7 00:00:16,08 --> 00:00:18,01 etc, 8 00:00:18,01 --> 00:00:19,08 snort. 9 00:00:19,08 --> 00:00:21,07 Press Enter. 10 00:00:21,07 --> 00:00:23,09 Type LS. 11 00:00:23,09 --> 00:00:26,02 Press Enter. 12 00:00:26,02 --> 00:00:31,08 You can see the snort.conf file here. 13 00:00:31,08 --> 00:00:35,00 Let's edit the file as a root user. 14 00:00:35,00 --> 00:00:38,00 Type sudo 15 00:00:38,00 --> 00:00:38,08 space, 16 00:00:38,08 --> 00:00:40,06 nano, 17 00:00:40,06 --> 00:00:43,01 space, 18 00:00:43,01 --> 00:00:47,04 snort.conf. 19 00:00:47,04 --> 00:00:49,06 Press Enter. 20 00:00:49,06 --> 00:00:54,02 Let's do a search and look for syslog 21 00:00:54,02 --> 00:01:00,00 Press Ctrl and W together to do the search. 22 00:01:00,00 --> 00:01:05,04 Enter syslog as a search term. 23 00:01:05,04 --> 00:01:08,00 Press Enter. 24 00:01:08,00 --> 00:01:10,04 We've found the line we need. 25 00:01:10,04 --> 00:01:13,04 Uncomment this line. 26 00:01:13,04 --> 00:01:19,01 By uncommenting, what I mean is removing the pound sign. 27 00:01:19,01 --> 00:01:25,08 The line says output alert_syslog, 28 00:01:25,08 --> 00:01:27,03 log auth, 29 00:01:27,03 --> 00:01:29,03 log alert. 30 00:01:29,03 --> 00:01:33,09 Press Ctrl and X together to save the file. 31 00:01:33,09 --> 00:01:37,03 Type Y, press Enter. 32 00:01:37,03 --> 00:01:41,03 Now, snort is ready to send its log messages 33 00:01:41,03 --> 00:01:44,04 to a syslog ng server. 34 00:01:44,04 --> 00:01:48,00 However, there's one more step you should take. 35 00:01:48,00 --> 00:01:52,02 When you run snort, you need to use a special option 36 00:01:52,02 --> 00:01:55,06 which is dash lowercase S 37 00:01:55,06 --> 00:02:00,01 to tell snort that now the log messages 38 00:02:00,01 --> 00:02:03,01 are going to syslog ng. 39 00:02:03,01 --> 00:02:04,09 Let's give it a try. 40 00:02:04,09 --> 00:02:07,01 Type sudo, 41 00:02:07,01 --> 00:02:08,00 space, 42 00:02:08,00 --> 00:02:10,00 snort, 43 00:02:10,00 --> 00:02:11,05 space, 44 00:02:11,05 --> 00:02:14,07 dash lowercase S, 45 00:02:14,07 --> 00:02:18,05 and then use the configuration file option 46 00:02:18,05 --> 00:02:21,03 which is dash C, 47 00:02:21,03 --> 00:02:24,08 space etc, 48 00:02:24,08 --> 00:02:27,01 snort, 49 00:02:27,01 --> 00:02:30,06 snort.conf. 50 00:02:30,06 --> 00:02:34,08 We'll be monitoring the first network interface card, 51 00:02:34,08 --> 00:02:38,00 which is ETH zero, 52 00:02:38,00 --> 00:02:41,00 therefore type dash I, 53 00:02:41,00 --> 00:02:42,04 space, 54 00:02:42,04 --> 00:02:45,04 ETH zero. 55 00:02:45,04 --> 00:02:49,03 Press Enter. 56 00:02:49,03 --> 00:02:51,01 Snort is running. 57 00:02:51,01 --> 00:02:55,09 Now, the log messages are not coming to the console. 58 00:02:55,09 --> 00:03:00,01 It's not going to the snort log files either. 59 00:03:00,01 --> 00:03:04,00 They're all being sent to syslog ng.