FW: snort & logging

[Sven Olensky <sol () intelispan net>]

please advise.

thanks.

> -----Original Message-----
> From: Sven Olensky 
> Sent: Monday, June 11, 2001 4:06 PM
> To: 'John Sage'
> Cc: snort-users () lists sourceforge net
> Subject: RE: [Snort-users] snort & logging
>
>
> how if I would like to redirect the output file written to 
> the "log" file to the "alerts" file? I cannot find a setting anywhere.
>
> thanks!
>
> > -----Original Message-----
> > From: John Sage [mailto:jsage () finchhaven com]
> > Sent: Monday, June 11, 2001 3:41 PM
> > To: Sven Olensky
> > Cc: snort-users () lists sourceforge net
> > Subject: Re: [Snort-users] snort & logging
> >
> >
> > Sven:
> >
> > Logging and alerts are two different animals.
> >
> > At least in a rules file (this is my tcp-local-lib..) you 
> can do this:
> > #
> > alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"TCP to 25 smtp";)
> > #
> > log tcp $EXTERNAL_NET 25 -> $HOME_NET any (msg:"TCP from 25 smtp";)
> > # alert to, log from
> >
> > (Actually I don't thing the (msg: ... ) does anything in the 
> > log line...
> >
> > So tcp coming in to *my* port 25 generates an alert, but I'm just 
> > logging everything that's *from* port 25
> >
> > HTH..
> >
> > - John
> >
> > Sven Olensky wrote:
> >
> > > I know, I know I bet a million people have encountered this 
> > before, but 
> > > I have to ask it, since I am just plainly clueless about 
> > how to go about 
> > > this:
> > >
> > > how exactly do I switch snort to logging into the alerts 
> > file rather 
> > > than the log file.. can you guys give me the complete line 
> > I have to 
> > > insert into snort.conf for that, please? I cant figure it out.
> > >
> > > preprocessor output..... and what then?
> > >
> > > thanks!
> > >
> > > please cc sol () intelispan net, since I am not a regular subscriber.
> >
> >
> > -- 
> > John Sage
> > FinchHaven, Vashon Island, WA, USA
> > http://www.finchhaven.com/
> > mailto:jsage () finchhaven com
> > "The web is so, like, five minutes ago..."