Snort mailing list archives

Re: Same question again..

From: John Sage <jsage () finchhaven com>
Date: Sat, 25 May 2002 10:36:36 -0700

On Linux 2.2.14, snort 1.8.4 build 99, I'm doing this:

Command line:

/usr/bin/snort184 -b -i ppp0 -o -c /usr/local/snort-1.8.4/snort184.conf

Relevant snort.conf:

<snip>
# alert_syslog: log alerts to syslog
# ----------------------------------
# Use one or more syslog facilities as arguments
#
# output alert_syslog: LOG_AUTH LOG_ALERT 

output alert_syslog: LOG_DAEMON LOG_ALERT
# keep as from 1.8.2 - this is FACILITY-LEVEL, I believe.. 
# -------------------------------------------------
# output alert_full

output alert_full: /var/log/snort/alert184.full
# keep as from 1.8.2 # attempted in snort182.conf for snort 1.8.2 11/25/01 - works ;-)
# attempted in snort18REL.conf for snort 1.8.1-RELEASE
# hasn't been shown in snort.conf for several releases: works as from 1.7
<snip>


This binary logs to this sort of a file, for example:

4678983 May 20 15:19 snort-0520 () 0722 log


and alerts go to this sort of a file:

11226 May 20 15:14 alert184.full-0520 () 0722 log


and syslog get alerts, and logcheck picks them up, thus:

<snip>
Security Violations
=-=-=-=-=-=-=-=-=-=
May 20 15:14:35 greatwall snort: [1:0:0] TCP to 1433 MS MySQL server {TCP}
+211.202.3.249:2986 -> 12.82.133.65:1433
<snip>


So this works for me...

YMMV..


- John
-- 
You simply can never have too many shells

PGP key      http://www.finchhaven.com/pages/gpg_pubkey.html
Fingerprint  FE 97 0C 57 08 43 F3 EB 49 A1 0C D0 8E 0C D0 BE C8 38 CC B5 



On Thu, May 23, 2002 at 03:36:46PM -0400, C Boss wrote:

Guys, help me out here please. This is the second time I have put out this 
question. Is the question plain stupid or do you need more information. 
Please let me know.

"I want to log in a binary format and thus am using the -b option. I am also 
logging all alerts to syslog. So I have something like LOG_LOCAL7 LOG_ALERTS 
in the snort.conf file.

The problem is that if I use the -b oprion with Snort, I don't see any
alerts in the syslog.

Do the two don't work together ?"

Thanks.


_______________________________________________________________

Don't miss the 2002 Sprint PCS Application Developer's Conference
August 25-28 in Las Vegas -- http://devcon.sprintpcs.com/adp/index.cfm

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Same question again.. C Boss (May 25)
- Re: Same question again.. John Sage (May 25)
- Re: Same question again.. Bamm Visscher (May 25)
- Re: Same question again.. Erek Adams (May 25)
- <Possible follow-ups>
- Re: Same question again.. C Boss (May 29)
  - Re: Same question again.. Erek Adams (May 28)