Snort mailing list archives
logging output
From: Roeland Weve <roeland () office netland nl>
Date: Thu, 17 May 2001 10:22:55 +0200
Hello, I have this ruletype in my snort.conf: ruletype scanalert { type alert output alert_syslog: LOG_AUTH LOG_ALERT output database: log, mysql, user=snorter dbname=snortscandb host=localhost password=xxxx } I use it to log scan alerts (like ping, etc.) to another database than regular alerts (like exploits) This is to reduce one big database, to two databases. This works, a rule which begins with alert logs to another database then a rule starting with scanalert, e.g: scanalert ICMP $EXTERNAL any -> $INTERNAL any (msg: "IDS158/Ping ISS Pinger"; itype: 8; content: "ISSPNGRQ"; depth: 32;) alert TCP $EXTERNAL any -> $INTERNAL 25 (msg: "IDS119/smtp-exploit555"; flags: A+; content: "mail from|3a20227c|";) This output am I using for Acid I also log to a logfile that I'm using for snortsnarf or other 'logscanners' like ewatch. I also want to split this logfile to 2 logfile, one for scanalerts and the other one for normal alert. Can somebody tell me how to do this? I am not very familiar with alert_syslog options: Maybe this is something for in the documentation? Because I really dunno what I can do with all those LOG_xxx names. I really appreciate it for helping me, Roeland ------------------------ Options LOG_CONS LOG_NDELAY LOG_PERROR LOG_PID Facilities LOG_AUTH LOG_AUTHPRIV LOG_DAEMON LOG_LOCAL0 LOG_LOCAL1 LOG_LOCAL2 LOG_LOCAL3 LOG_LOCAL4 LOG_LOCAL5 LOG_LOCAL6 LOG_LOCAL7 LOG_USER Priorities LOG_EMERG LOG_ALERT LOG_CRIT LOG_ERR LOG_WARNING LOG_NOTICE LOG_INFO LOG_DEBUG _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- logging output Roeland Weve (May 17)