logging output

[Roeland Weve <roeland () office netland nl>]

Hello,

I have this ruletype in my snort.conf:
ruletype scanalert
{
   type alert
   output alert_syslog: LOG_AUTH LOG_ALERT
   output database: log, mysql, user=snorter dbname=snortscandb
host=localhost password=xxxx
}
I use it to log scan alerts (like ping, etc.) to another database than
regular alerts (like exploits)
This is to reduce one big database, to two databases.
This works, a rule which begins with alert logs to another database then
a rule starting with scanalert, e.g:
scanalert ICMP $EXTERNAL any -> $INTERNAL any 
        (msg: "IDS158/Ping ISS Pinger"; itype: 8; content: "ISSPNGRQ"; depth:
32;)
alert TCP $EXTERNAL any -> $INTERNAL 25 
        (msg: "IDS119/smtp-exploit555"; flags: A+; content: "mail
from|3a20227c|";)

This output am I using for Acid

I also log to a logfile that I'm using for snortsnarf or other
'logscanners' like ewatch.
I also want to split this logfile to 2 logfile, one for scanalerts and
the other one for normal alert.
Can somebody tell me how to do this?

I am not very familiar with alert_syslog options:
Maybe this is something for in the documentation? Because I really dunno
what I can do with all those LOG_xxx names.

I really appreciate it for helping me,

Roeland

------------------------
Options 
    LOG_CONS 
    LOG_NDELAY 
    LOG_PERROR 
    LOG_PID 
Facilities 
    LOG_AUTH 
    LOG_AUTHPRIV 
    LOG_DAEMON 
    LOG_LOCAL0 
    LOG_LOCAL1 
    LOG_LOCAL2 
    LOG_LOCAL3 
    LOG_LOCAL4 
    LOG_LOCAL5 
    LOG_LOCAL6 
    LOG_LOCAL7 
    LOG_USER 
Priorities 
    LOG_EMERG 
    LOG_ALERT 
    LOG_CRIT 
    LOG_ERR 
    LOG_WARNING 
    LOG_NOTICE 
    LOG_INFO 
    LOG_DEBUG

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users