Snort mailing list archives
Re: preprocessor not logging into DB [SOLVED]
From: "Federico Lombardo" <egopfe () hotmail com>
Date: Thu, 16 Jan 2003 15:27:11 +0100
It was stupid and simple to solve my problem; Just insert: output database: alert, mysql, user=snort dbname=snort_alert host=192.168.0.2 password= sensor_name=fwint0 without any ruletype declaration. Thank :-* ----- Original Message ----- From: "Federico Lombardo" <egopfe () hotmail com> To: <snort-users () lists sourceforge net> Sent: Thursday, January 16, 2003 12:53 PM Subject: [Snort-users] preprocessor not logging into DB
Using snort 1.9.0 build 209 on a slackware 8.1 linux. Starting snort with: ./bin/snort -g snort -u snort -o -t /usr/snorteth0 -c ./ect/snort.conf -p -i eth0 From my snort.conf: include ../rules/classification.config include ../rules/reference.config preprocessor http_decode: 80 443 3128 8080 unicode iis_alt_unicode double_encode iis_flip_slash full_whitespace preprocessor frag2: 16777216, 30 preprocessor stream4: memcap 16777216, detect_state_problems preprocessor stream4_reassemble: serveronly 21 23 25 53 80 110 111 143 443 513 1433 2138 2255 5631 8080 preprocessor rpc_decode: 111 preprocessor bo: -nobrute var HOME_NET [81.113.172.0/27] preprocessor portscan: $HOME_NET 4 3 portscan.log preprocessor portscan-ignorehosts: 212.17.192.49 194.247.160.6
212.17.192.49
194.73.95.85 198.41.0.10 212.216.112.112 212.245.255.2 194.20.8.4 # spade # arpspoof preprocessor arpspoof preprocessor telnet_decode # LOGGING Various Variables Here ... ... ruletype clear { type pass output output database: alert, mysql, user=snort dbname=snort_alert host=192.168.0.2 password= sensor_name=fwint0 detail=full } ruletype normal { type alert output output database: alert, mysql, user=snort dbname=snort_alert host=192.168.0.2 password= sensor_name=fwint0 detail=full } ruletype redalert { type alert output output database: alert, mysql, user=snort dbname=snort_alert host=192.168.0.2 password= sensor_name=fwint0 detail=full output trap_snmp: alert, 4, inform -v 2c -p 163 192.168.0.3 public } ruletype archivio { type log output output database: log, mysql, user=snort dbname=snort_log
host=192.168.0.2
password= sensor_name=fwint0 detail=full } As you can see, I user the "alert" facility into the database ruletype declaration. The problem Is that snort continue to log preprocessor alerts into the /var/log/snort/alerts file!!!! I've realized that also rules declared with ruleaction "alert" are logged into the file and not in the Database. I think is better to create a ruletype called "alert" to log all of these into the dataset but, alert ruletype I always already declared! How to solve these problems ?? ------------------------------------------------------- This SF.NET email is sponsored by: Thawte.com Understand how to protect your customers personal information by
implementing
SSL on your Apache Web Server. Click here to get our FREE Thawte Apache Guide: http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0029en _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------- This SF.NET email is sponsored by: Thawte.com Understand how to protect your customers personal information by implementing SSL on your Apache Web Server. Click here to get our FREE Thawte Apache Guide: http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0029en _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- preprocessor not logging into DB Federico Lombardo (Jan 16)
- Re: preprocessor not logging into DB [SOLVED] Federico Lombardo (Jan 16)