Snort mailing list archives
Re: Lost in the config file
From: John Sage <jsage () finchhaven com>
Date: Wed, 26 Jun 2002 20:48:38 -0700
On Wed, Jun 26, 2002 at 08:56:31PM -0500, K. A. Steensma wrote:
This is a very small portion of a old message - -s xxx.xxx.xxx.xxx:xxx *** This works properly *** I (really) have given the user manual and FAQ a 'pretty good' look and can not figure out what the 3 numbers after the colon (:) are for. It seems the I have 'skipped' reading a very necessary doc.
I'm not finding the syntax you've got, above, anywhere in the FAQ, USAGE, or in man snort. the FAQ only has -s at: cat $weeklogs/$dirdate/snort.alert | mail -s "Snort logs" you () domain com cat $weeklogs/$dirdate/snort_portscan.log | mail -s "Snort portscan logs" you () domain com USAGE only has: To send alerts to syslog, use the -s switch. The default facilities for the syslog alerting mechanism are LOG_AUTHPRIV and LOG_ALERT. If you want to configure other facilities for syslog output, use the output plugin directives in the rules files (see the snort.conf file for more information). and several command line examples where -s is followed by -h: 1) Log to default (decoded ASCII) facility and send alerts to syslog snort -c snort.conf -l ./log -s -h 192.168.1.0/24 2) Log to the default facility in /var/log/snort and send alerts to a fast alert file: snort -c snort.conf -s -h 192.168.1.0/24 man snort says: -s Send alert messages to syslog. On linux boxen, they will appear in /var/log/secure, /var/log/messages on many other platforms. So I'm not seeing that syntax, anywhere...
And I'm very mixed up in relating the command line options to the config file. What I mean is; I can add the '-i' command line option to designate the interface to watch, but how would I put this into the config file instead of on the command line?
The command line overrules the snort.conf settings; there's no way that I know of to specify the interface in snort.conf
Am I missing something or is there no 'search' feature in the mailing list archieves at Geocrawler? I really feel like a novice (which I really am when it comes to Snort).
There isn't that I know of. Personally, I prefer Neohapsis for archives, see: http://archives.neohapsis.com/archives/snort/ These, at least, can be sorted by author, subject, or thread.. - John -- "You are in a little maze of twisty passages, all different." PGP key http://www.finchhaven.com/pages/gpg_pubkey.html Fingerprint FE 97 0C 57 08 43 F3 EB 49 A1 0C D0 8E 0C D0 BE C8 38 CC B5 ------------------------------------------------------- This sf.net email is sponsored by: Jabber Inc. Don't miss the IM event of the season | Special offer for OSDN members! JabberConf 2002, Aug. 20-22, Keystone, CO http://www.jabberconf.com/osdn _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Lost in the config file K. A. Steensma (Jun 26)
- Re: Lost in the config file John Sage (Jun 26)
- Re: Lost in the config file K. A. Steensma (Jun 26)
- Re: Lost in the config file Erek Adams (Jun 27)
- Re: Lost in the config file Erek Adams (Jun 27)
- Re: Lost in the config file K. A. Steensma (Jun 27)
- Re: Lost in the config file John Sage (Jun 27)
- Re: Lost in the config file Michael Boman (Jun 27)
- Re: Lost in the config file John Sage (Jun 26)