Snort mailing list archives

Re: Newbie questions: logs

From: John Sage <jsage () finchhaven com>
Date: Mon, 11 Jun 2001 07:24:58 -0700

ayse:

ayse () deakin edu au wrote:


Warm greetings to all.

I have just installed snort on one of our boxes (yey)
and am very confused about all the logs.
In the snort directory - I have a



These should all be written-to by different circumstances, depending ;-)

log



gets results from something like this in a rules file:

log tcp any any <> $HOME_NET any (msg: "Log: TCP packet";)

        alert



gets results from something like this in a rules file:

alert tcp 192.168.0.0/16 any -> $HOME_NET any (msg: "Alert: tcp from 192private block";)

        portscan.log



gets results from this in snort.conf:

# portscan: detect a variety of portscans
# ---------------------------------------
preprocessor portscan: $HOME_NET 4 3 /var/log/snort/portscan.log


HTH..

- John

--
John Sage
FinchHaven, Vashon Island, WA, USA
http://www.finchhaven.com/
mailto:jsage () finchhaven com
"The web is so, like, five minutes ago..."

The above log files look v. similar in content. Can someone tell me
why the need for 3 outputs or point me to a doco that may enlighten me.
I have only enabled/played with the scan.rules options so far.

Many thanks in advance
ayse




_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Newbie questions: logs ayse (Jun 09)
- <Possible follow-ups>
- Newbie questions: logs ayse (Jun 11)
  - Re: Newbie questions: logs John Sage (Jun 11)