Snort mailing list archives
Re: alert_syslog plugin problem
From: James Nonya <slave_tothe_box () yahoo com>
Date: Mon, 26 Jan 2004 08:46:29 -0800 (PST)
On Mon, 26 Jan 2004 12:07:39 +0100 (CET) "Gema de Toro Sánchez" <detorosanchez () yahoo es> wrote:
Hi! I don't know why alert_syslog plugin doesn't work. I
don't find any "/var/log/snort/alert" file. The configuration of snort output plugins seems like this:
####################################################################
# Step #3: Configure output plugins # # Uncomment and configure the output plugins you
decide to use.
# General configuration for output plugins is of the
form:
# # output <name_of_plugin>: <configuration_options> # # alert_syslog: log alerts to syslog # ---------------------------------- # Use one or more syslog facilities as arguments.
Win32 can also
# optionally specify a particular hostname/port.
Under Win32, the
# default hostname is '127.0.0.1', and the default
port is 514.
# # [Unix flavours should use this format...] output alert_syslog: LOG_AUTH LOG_ALERT # # [Win32 can use any of these formats...] # output alert_syslog: LOG_AUTH LOG_ALERT # output alert_syslog: host=hostname, LOG_AUTH
LOG_ALERT
# output alert_syslog: host=hostname:port, LOG_AUTH
LOG_ALERT
# log_tcpdump: log packets in binary tcpdump format # ------------------------------------------------- # The only argument is the output file name. # #output log_tcpdump: tcpdump.log # database: log to a variety of databases # --------------------------------------- # See the README.database file for more information
about configuring
# and using this plugin. # #output database: log, mysql, user=snort
password=duende dbname=snort host=localhost
# output database: alert, postgresql, user=snort
dbname=snort
# output database: log, unixodbc, user=snort
dbname=snort
# output database: log, mssql, dbname=snort
user=snort password=test
# unified: Snort unified binary format alerting and
logging
#
-------------------------------------------------------------
# The unified output plugin provides two new formats
for logging
# and generating alerts from Snort, the "unified"
format. The
# unified format is a straight binary format for
logging data
# out of Snort that is designed to be fast and
efficient. Used
# with barnyard (the new alert/log processor), most
of the overhead
# for logging and alerting to various slow storage
mechanisms
# such as databases or the network can now be
avoided.
# # Check out the spo_unified.h file for the data
formats.
# # Two arguments are supported. # filename - base filename to write to (current
time_t is appended)
# limit - maximum size of spool file in MB (default:
128)
# output alert_unified: filename snort.alert, limit
258
output log_unified: filename snort.unified.log,
limit 256
# You can optionally define new rule types and
associate one or
# more output plugins specifically to that type. # # This example will create a type that will log to
just tcpdump.
# ruletype suspicious # { # type log # output log_tcpdump: suspicious.log # } # # EXAMPLE RULE FOR SUSPICIOUS RULETYPE: # suspicious $HOME_NET any -> $HOME_NET 6667
(msg:"Internal IRC Server";)
# # This example will create a rule type that will log
to syslog
# and a mysql database. #ruletype redalert # { # type alert # output alert_syslog: LOG_AUTH LOG_ALERT # output database: log, mysql, user=snort
password=duende dbname=snort host=localhost
# } # # EXAMPLE RULE FOR REDALERT RULETYPE # redalert tcp $HOME_NET any -> $EXTERNAL_NET 31337
\
# (msg:"Someone is being LEET"; flags:A+;) # # Include classification & priority settings # include classification.config # # Include reference systems # include reference.config
#############################################################
Output log_unified and alert_unified plugins
are enabled because I've also tried to get the log file "/var/log/snort/alert" using Barnyard. I can get log_unified and alert_unified files but alert_syslog file doesn't appear again. Barnyard.conf is like this:
config hostname: snorthost config interface: eth0 config filter: not port 22 processor dp_alert processor dp_log processor dp_stream_stat output alert_fast output log_dump output alert_syslog: LOG_AUTH LOG_ALERT output log_acid_db: mysql, sensor_id 1, database
snort, server localhost, user snort, password duende, detail full
Does anybody know what I'm doing wrong. Please, I
need help. Thank you!!
Gema
Look at where your syslog is (normally /var/log/messages). James __________________________________ Do you Yahoo!? Yahoo! SiteBuilder - Free web site building tool. Try it! http://webhosting.yahoo.com/ps/sb/ ------------------------------------------------------- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- alert_syslog plugin problem Gema de Toro Sánchez (Jan 26)
- <Possible follow-ups>
- Re: alert_syslog plugin problem James Nonya (Jan 26)