Snort mailing list archives

RE: -l parameter

From: "Michael Steele" <michaels () winsnort com>
Date: Mon, 8 Dec 2003 20:04:04 -0800

Adam,

 

You just placed all your marbles into one pot. If you loose your database
you loose it all. At least with the log you could populate the database if
it got corrupted,

 

I don't suggest anyone do this, especially in a production environment. If
you don't have enough room for the log file, then get a few more megs of
storage space.

Kindest regards,

The WINSNORT.com Management Team
--
Pick up your FREE Windows or UNIX Snort installation guides      
mailto:support () winsnort com
Website: http://www.winsnort.com
Snort: Open Source Network IDS - http://www.snort.org



  _____  

From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net] On Behalf Of
adam_peterson () splwg com
Sent: Monday, December 08, 2003 4:17 PM
To: Chris Keladis
Cc: Dirk Geschke; snort-users () lists sourceforge net
Subject: Re: [Snort-users] -l parameter

 


I used -N as suggested and it solved my problem.  The only files created are
a 0 byte scan.log and a portscan.log that's > 0 bytes which I can deal with.
I think that's because the portscan preprocessor has to log to a file for
comparison.

Adam Peterson | Senior WAN Engineer | SPL WorldGroup |
adam_peterson () splwg com 




 

Chris Keladis <chris () cmc optus net au> 

12/09/2003 11:12 AM ZE11 

        
        To:        Dirk Geschke <Dirk () geschke-online de>,
adam_peterson () splwg com 
        cc:        snort-users () lists sourceforge net 
        Subject:        Re: [Snort-users] -l parameter




At 10:27 PM 8/12/2003 +0100, Dirk Geschke wrote:

afford to log to disk.  I have no output options logging locally.
Just 1 line in snort.conf for output:

output database: alert, mysql, user=zzz password=zzz dbname=zzz
host=zzz sensor_name=zzz


I guess all you need is the option "-N". You still need a log
directory for snort but it won't be used. But all alerts will
be send to the database via the output plugin.


Hrrmm.. I use -N and -l (that's L) with unified output, and i still get 
logs to the 'alert' file.

I haven't looked into it, but it always had me wondering why?




Regards,

Chris.

Current thread:

-l parameter adam_peterson (Dec 08)
- Re: -l parameter Dirk Geschke (Dec 08)
  - Re: -l parameter Chris Keladis (Dec 08)
- RE: -l parameter Ed Callahan (Dec 09)
- <Possible follow-ups>
- Re: -l parameter adam_peterson (Dec 08)
  - RE: -l parameter Michael Steele (Dec 08)
- Re: -l parameter adam_peterson (Dec 09)
- Re: -l parameter John Creegan (Dec 09)
- Re: -l parameter adam_peterson (Dec 09)
  - Re: -l parameter twig les (Dec 09)
  - RE: -l parameter Ed Callahan (Dec 09)
    - Re: -l parameter Dirk Geschke (Dec 10)
    - RE: -l parameter Antonio Costa (Dec 10)