Snort mailing list archives

RE: disable /var/log/snort logging

From: "L. Christopher Luther" <CLuther () Xybernaut com>
Date: Thu, 8 May 2003 15:43:47 -0400

Nick,  

I can "feel your pain" but as mentioned in a previous post [0], the command
line alert/log options override the output plugins in snort.conf [1].  If
the Snort docs are accurate, then specifying '-N' on the command line would
override the 'output database: alert, mysql ...' option in snort.conf and
you *would* end up with alerts being written to /var/log/snort/alert.  

I think the only way you're going to get the results you want (assuming that
this is not a bug in Snort - shuuddeerr) is to specify both an alert
facility *and* a log facility in snort.conf: 

    output database: alert, mysql, user=snortusr password=fakepass
                     dbname=snort host=localhost    
    output log_null 

That is, you want *two* separate 'output ...' statements in snort.conf.  The
log facility, however, will be/should be directed to null.  

It's also worth mentioning again that you shouldn't run Snort in daemon mode
until you make sure things are working.  It is my experience that Snort
console messages are lost in daemon mode, so the interactive mode will let
you see messages Snort generates as it parses and process the command line
and snort.conf options.  


- Christopher

[0] http://marc.theaimsgroup.com/?l=snort-users&m=105236757819419&w=2 
[1] http://www.snort.org/docs/writing_rules/chap1.html#tth_sEc1.4.1 


-----Original Message-----
From: Nick White [mailto:nwhite () avidbio com]
Sent: Thursday, May 08, 2003 1:19 PM
To: bamm () satx rr com; snort-users () lists sourceforge net
Subject: RE: [Snort-users] disable /var/log/snort logging


Whenever I use -N and change my output line in snort.conf to alert, it
creates /var/log/snort/alert and continues to write alerts there.
(without packet information).

If possible, I'd like snort to _only_ log alerts (with packet
information) to mysql.  Another user suggested simply deleting the disk
logs, but even then, there is a lot of unnecessary overhead.

Basically what I'm trying to accomplish is this:
1. Log to mysql with full packet information for alerts. (done)
2. Not have snort write a lot of redundant data to the disk that already
exists in mysql.

Thanks for your kind suggestions.  Any further ideas?
NW

-----Original Message-----
From: Bamm Visscher [mailto:bamm () satx rr com] 
Sent: Thursday, May 08, 2003 5:57 AM
To: snort-users () lists sourceforge net
Subject: Re: [Snort-users] disable /var/log/snort logging


Attach the database plugin to the 'alert' facility vice the 'log'
facility when using -N.
 
For example,

  output database: alert, postgresql, user=snort dbname=snort

vs.

  output database: log, postgresql, user=snort dbname=snort


Bammkkkk

On Wed, May 07, 2003 at 04:48:13PM -0700, Nick White wrote:

You're right, the -N option turns off packet logging.  Sure it doesn't
write to the disk, but it turns off packet logging within mysql as

well

- not cool.  Surely there is a way to have snort log everything to

mysql

(even packet logging), without dumping data to the hard drive.  I just
can't figure out how.  I'm starting snort with -b (binary logging)
option, which takes care of it crashing after a few minutes under a
really heavy load.  Even still, logging to the disk is a total waste
because I'll never do anything with the binary logs.



-------------------------------------------------------
Enterprise Linux Forum Conference & Expo, June 4-6, 2003, Santa Clara
The only event dedicated to issues related to Linux enterprise solutions
www.enterpriselinuxforum.com

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


-------------------------------------------------------
Enterprise Linux Forum Conference & Expo, June 4-6, 2003, Santa Clara
The only event dedicated to issues related to Linux enterprise solutions
www.enterpriselinuxforum.com

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


-------------------------------------------------------
Enterprise Linux Forum Conference & Expo, June 4-6, 2003, Santa Clara
The only event dedicated to issues related to Linux enterprise solutions
www.enterpriselinuxforum.com

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

disable /var/log/snort logging Nick White (May 06)
- Re: disable /var/log/snort logging Anderson Johnston (May 06)
- <Possible follow-ups>
- RE: disable /var/log/snort logging Nick White (May 07)
  - Re: disable /var/log/snort logging Bamm Visscher (May 08)
- RE: disable /var/log/snort logging Joesph Bowling (May 07)
- RE: disable /var/log/snort logging L. Christopher Luther (May 07)
- RE: disable /var/log/snort logging Nick White (May 08)
- RE: disable /var/log/snort logging Nick White (May 08)
  - Re: disable /var/log/snort logging Bamm Visscher (May 08)
- RE: disable /var/log/snort logging L. Christopher Luther (May 08)
- RE: disable /var/log/snort logging L. Christopher Luther (May 08)
- RE: disable /var/log/snort logging Nick White (May 08)