Snort mailing list archives
Re: No alerts
From: Bill McCarty <bmccarty () apu edu>
Date: Mon, 25 Mar 2002 16:49:33 -0800
Hi Brian,Well, I have as much trouble recalling what I read as I do understanding it in the first place <grin>. And, day by day, I seem to be worse at each.
But, my configuration seems to be sanctioned. From the users manual:
Multiple output plugins may be specified in the Snort configuration file. When multiple plugins of the same type (log, alert) are specified, they are "stacked" and called in sequence when an event occurs. As with the standard logging and alerting systems, output plugins send their data to /var/log/snort by default or to a user directed directory (using the "-l" command line switch).
So, am I one of a few rare birds actually stacking multiple output plugins? My guess is not, but it's merely a guess. I do see that the Honeynet folks use, or used, a similar configuration. In fact, I think I based mine on theirs. See <http://project.honeynet.org/papers/honeynet/snort.conf>.
In any case, my question stands: Is there a convenient way to obtain near real-time alert reporting when logging only to a binary file? Otherwise, there's a strong reason for WANTING to stack multiple output plugins. Though it's certainly possible that doing so may increase the frequency or serverity of snort problems, despite evidence that doing so should work okay. I dunno.
Cheers, --On Monday, March 25, 2002 4:28 PM -0500 Brian <bmc () snort org> wrote:
According to Bill McCarty:output alert_syslog: LOG_LOCAL1 LOG_INFO output log_tcpdump: snort.log output alert_full: /space1/snort/snort-full output alert_fast: /space1/snort/snort-fast Q: What am I missing?A read through the users manual? Why are you trying to log to 4 places at once? Don't do that. pick one output plugin and stick to that. -brian
--------------------------------------------------- Bill McCarty _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- No alerts Bill McCarty (Mar 25)
- Re: No alerts Erek Adams (Mar 25)
- Re: No alerts Bill McCarty (Mar 25)
- Re: No alerts Bill McCarty (Mar 25)
- <Possible follow-ups>
- Re: No alerts Bill McCarty (Mar 25)
- Re: No alerts Erek Adams (Mar 25)
- Re: No alerts Bill McCarty (Mar 25)
- Re: No alerts Erek Adams (Mar 25)
- Re: No alerts Erek Adams (Mar 25)