Snort mailing list archives
Re: SNORT3 - Alerts logging
From: Russ via Snort-users <snort-users () lists snort org>
Date: Sat, 6 Oct 2018 09:08:54 -0400
The alert_full options are: $ snort --help-config alert_fullbool alert_full.file = false: output to alert_full.txt instead of stdout int alert_full.limit = 0: set maximum size in MB before rollover (0 is unlimited) { 0: }
The path and units you are trying to configure won't work. Look in the manual under 4.7 Usage / Output Files for options and examples for log files.
It looks like you want this in your conf: alert_full = { file = true, limit = 1000000000 } and -l /var/log on your command line. Hope that helps. Russ On 10/6/18 4:05 AM, ZdenekChladek_cyber wrote:
Hello, I'm studying from the manual how to log alerts:http://manual-snort-org.s3-website-us-east-1.amazonaws.com/node21.html#SECTION00363000000000000000Passage from the manual: ****** 2.6.3 alert_fullThis will print Snort alert messages with full packet headers. The alerts will be written in the default logging directory (/var/log/snort) or in the logging directory specified at the command line.****** In my configuration I have tried: alert_full = {file = true, limit = 1, units = G } but the log is stored into /home directory in txt format.I tried to pass as the parameter 'filename' path in many variation but any from them doesn't work:alert_full = {/var/log/, limit = 1, units = G }FATAL: can't load /usr/local/snort/etc/snort/snort.lua: /usr/local/snort/etc/snort/snort.lua:338: unexpected symbol near '/'alert_full = {'/var/log/', limit = 1, units = G } ERROR: can't find alert_full alert_full = {'/var/log/alert.full', limit = 1, units = G } ERROR: can't find alert_full alert_full = {alert.full, limit = 1 , units = M }FATAL: can't init /usr/local/snort/etc/snort/snort.lua: /usr/local/snort/etc/snort/snort.lua:338: attempt to index global 'alert' (a nil value)Fatal Error, Quitting..What seems to be different against Snort 2.x are the parameters inside {}. Exist some documentation from where I can get enough information for Snort3?Thank You ZAJDAN _______________________________________________ Snort-users mailing list Snort-users () lists snort org Go to this URL to change user options or unsubscribe: https://lists.snort.org/mailman/listinfo/snort-users To unsubscribe, send an email to: snort-users-leave () lists snort orgPlease visit http://blog.snort.org to stay current on all the latest Snort news!Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette
_______________________________________________ Snort-users mailing list Snort-users () lists snort org Go to this URL to change user options or unsubscribe: https://lists.snort.org/mailman/listinfo/snort-users To unsubscribe, send an email to: snort-users-leave () lists snort org Please visit http://blog.snort.org to stay current on all the latest Snort news! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette
Current thread:
- SNORT3 - Alerts logging ZdenekChladek_cyber (Oct 06)
- Re: SNORT3 - Alerts logging Russ via Snort-users (Oct 06)