Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Output modules, using two prioritys with syslog ?

From: Olafur Egilsson <olafure () modernus is>
Date: Fri, 20 Jul 2001 14:15:26 +0000
Hello,

I'm trying to output all data from snort just like explained in in the next 
paragraph, except for icmp alerts, that I want to log to special file.

The files snort is currently logging to are:
/var/log/snort/portscan:  all from the portscan preprocessor.
/var/log/snort/snort:  all alerts from snort

Now, what I want to do is to add another file,
/var/log/snort/icmp: all icmp alerts (from icmp.rules)

The standard prefix of all the files in /etc/snort/*.rules is "alert "
for the file /etc/snort/icmp.rules i did change the prefixes 
to "icmp_pkt" (sed 's/^alert /icmp_pkt /')


My idea of how to do this by using this as output module in snort.conf:

--- BEGIN snap from snort.conf ---
ruletype icmp_pkt
{
  type alert output
  output log_tcpdump: icmp
  output alert_syslog: LOG_LOCAL6 LOG_NOTICE
}
 
output alert_syslog: LOG_LOCAL6 LOG_INFO
output log_tcpdump: snort
--- END snap from snort.conf ---

And this is part from my /etc/syslog.conf
--- BEGIN snap from syslog.conf ---
# Yes, should be possible to use ...;local6.!debug
# or local6.none(didn't work)
*.info;mail.none;authpriv.none;local6.!=info;local6.!=notice /var/log/messages

... 

# Here's the snort part.
local6.=info                                       /var/log/snort/snort
local6.=notice                                   /var/log/snort/icmp
-- END snap from syslog.confg ---

This syslog configuration works fine for /var/log/snort/snort at least
the problem is that ALL alerts goes to /var/log/snort/snort file !

The command line i use to start up snort is:
/usr/local/bin/snort -D -l /var/log/snort/ -c /etc/snort/snort.conf

snort -V returns "Version 1.7"

Snort is running on Redhat 6.2
"uname -a" returns: (exectp that hostname :-o)
Linux hostname.omitted 2.4.5 #2 Fri Jun 22 10:38:57 GMT 2001 i686 unknown

Yes, maybe I should get Snort 1.8.  But I think the problem is just
with me and my configuration :-)

Can anyone help ?

I did look through the postlist arcives, but for no luck.
And... the "ruletype" and "output" part isn't particulary well documented.


Thanks !



_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: