Snort mailing list archives

Stupid question, as in I ought to know the answer to this.

From: Phil Wood <cpw () lanl gov>
Date: Tue, 25 Jun 2002 10:35:09 -0600


Here is what I want to do:

  1. log alerts to binary file
  2. log "redalerts" to syslog
  3. DO NOT create an alert file (fast or full)
  
Here is what I did to get that to happen:

  1. put the following in my config file:

     output log_tcpdump: /some/full/path/to/binarylogfile

     ruletype redalert
     {
       type log  <<<--- notice not alert
       output alert_syslog: LOG_LOCAL5 LOG_DEBUG LOG_PERROR
     }

  2. start snort with the -A none option

This causes a WARNING:

WARNING: command line overrides rules file alert plugin!

However, I get the desired result, namely no alert file (fast or full format),
and syslogs for the few redalerts I want to know about instantly.

So, what could I do otherwise to get the desired result, and avoid the
WARNING?

Thanks,

Phil


-------------------------------------------------------
This sf.net email is sponsored by: Jabber Inc.
Don't miss the IM event of the season | Special offer for OSDN members! 
JabConf 2002, Aug. 20-22, Keystone, CO http://www.jabberconf.com/osdn
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Stupid question, as in I ought to know the answer to this. Phil Wood (Jun 25)
- Re: Stupid question, as in I ought to know the answer to Phil Wood (Jun 25)