Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Snort alert file missing?

From: elof () sentor se
Date: Thu, 28 Mar 2013 17:51:58 +0100 (CET)

I would suggest:

In your snort.conf:
output unified2: filename snort.unified2
output alert_fast: snort.alert

In your barnyard2.conf:
output log_tcpdump: barnyard2.tcpdump
output database: log, <sql-type>, user=x password=xxx etc


This will result in snort always logging to unified2 and to an ascii-file 
immediately, even if barnyard2 and/or the sql server is offline.

Barnyard2 will then read events from unified2 and output them both to a 
pcap file and to the sql server.

/Elof


On Thu, 28 Mar 2013, Joel Esler wrote:


On Mar 28, 2013, at 11:07 AM, Nicholas Bogart <nickybzoss () gmail com> wrote:


Snort Version 2.8.5.2


Current version is 2.9.4.1, you should update.



I have walked into an office where we are using snort connected to a mysql database.  There doesn't seem to be an 
alert file.  If we have setup a database connection will it no longer also store stuff in the alert file or is there 
a setting I am missing?


If your output method is DB, then your output method is not set to log to disk.

Keep in mind, while you are upgrading, that direct-to-db output has been removed from newer versions of Snort 
(started in 2.9.3.0), so you need to use barnyard2 to insert into the DB.

--
Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire


------------------------------------------------------------------------------
Own the Future-Intel&reg; Level Up Game Demo Contest 2013
Rise to greatness in Intel's independent game demo contest.
Compete for recognition, cash, and the chance to get your game 
on Steam. $5K grand prize plus 10 genre and skill prizes. 
Submit your demo by 6/6/13. http://p.sf.net/sfu/intel_levelupd2d
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: