Snort mailing list archives
Re: Newbie questions: logs
From: John Sage <jsage () finchhaven com>
Date: Mon, 11 Jun 2001 07:24:58 -0700
ayse: ayse () deakin edu au wrote:
Warm greetings to all. I have just installed snort on one of our boxes (yey) and am very confused about all the logs. In the snort directory - I have a
These should all be written-to by different circumstances, depending ;-)
log
gets results from something like this in a rules file: log tcp any any <> $HOME_NET any (msg: "Log: TCP packet";)
alert
gets results from something like this in a rules file:alert tcp 192.168.0.0/16 any -> $HOME_NET any (msg: "Alert: tcp from 192 private block";)
portscan.log
gets results from this in snort.conf: # portscan: detect a variety of portscans # --------------------------------------- preprocessor portscan: $HOME_NET 4 3 /var/log/snort/portscan.log HTH.. - John -- John Sage FinchHaven, Vashon Island, WA, USA http://www.finchhaven.com/ mailto:jsage () finchhaven com "The web is so, like, five minutes ago..."
The above log files look v. similar in content. Can someone tell me why the need for 3 outputs or point me to a doco that may enlighten me. I have only enabled/played with the scan.rules options so far. Many thanks in advance ayse
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Newbie questions: logs ayse (Jun 09)
- <Possible follow-ups>
- Newbie questions: logs ayse (Jun 11)
- Re: Newbie questions: logs John Sage (Jun 11)