Snort mailing list archives
Question about output syntax...
From: Bob Hillegas <bobhillegas () pdq net>
Date: Mon, 20 Aug 2001 20:50:22 -0500 (CDT)
I am a new snort user. I've been following the traffic on this list for several months now, and finally took the plunge at 1.8.1. A recurring theme with newbies is "I'm using ipchains on ppp0 and don't get any alerts". There is confusion in the list since February whether snort will be screened out by ipchains on ppp0. So it's not surprising that when I got no logging, I assumed that was the problem. A recent posting claiming to to get logging on ppp0 behind ipchains made me spend some time in the FAQ and the Snort Users Manual. It was still unclear why I'm getting no logging inspite of receiving over 200 denied packets this week on port 80. I have to assume the majority of these are Code Red, but no alerts logged. I am using 1.8.1-RELEASE (Build 74). I am alternating (testing) snort.conf ruleset v1.62 2001/08/12 04:31:01 and vision18.conf ruleset Export date: 20010720.0730. This afternoon, as a test, I changed output alert_syslog: LOG_AUTH LOG_ALERT to output alert_syslog: LOG_AUTH LOG_INFO. Since then, I've received 9 snort alerts logged to syslog, all of them [1:0:0] IDS177/netbio_netbios-name-query. These have been interspersed with DENY'd packets to port 80 which received no snort alerting. That seems to lay to rest the theory of being blocked by ipchains. But it raises the question of output syntax. (Sorry, this is so long winded) Q1: What is the effect on alert_syslog of LOG_ALERT versus LOG_INFO. Will LOG_INFO give me more logging than LOG_ALERT or do I need both? Q2: Ditto on output database <log | alert> .... The manual gives a description of each argument EXCEPT the effect on logging by specifying log or alert. Also, do I need both? Any help you can offer will be appreciated. thanks, BobH -- ------------------------------------------------- Bob Hillegas <bobhillegas () pdq net> 281.546.9311 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Question about output syntax... Bob Hillegas (Aug 20)