Snort mailing list archives

RE: FW: snort & logging

From: Sven Olensky <sol () intelispan net>
Date: Wed, 13 Jun 2001 19:50:39 -0400

I actually did, thanks for the hint, but its not working still.

ps auxww:
/usr/local/snort/snort -dvs -c /usr/local/snort/etc/snort.conf -A fast -i
eth0 -l /usr/local/snort/log/

snort.conf:

[..snip..]
preprocessor defrag
preprocessor http_decode: 80 8080
preprocessor portscan: $INTERNAL 4 3 /usr/local/snort/log/portscan.log
preprocessor portscan-ignorehosts: $DNS_SERVERS
[..snip..]
include /usr/local/snort/etc/snort.rules

snort.rules being the concatenation of all the rules files.

syslog:
e.g.
Jun 13 19:26:19 XXX snort[2683]: IDS255/ddos-shaft-handler-to-agent:
192.168.74.50:1024 -> 192.168.74.41:187

but this never gets written into an "alert" file. However, directories with
the source / attacker IP address is created, the info stored in a file in
that ip-address/ - directory. Just the alert file is missing.


hence, please advise. rwx permissions are cool, too btw.

-----Original Message-----
From: Brian Caswell [mailto:bmc () mitre org]
Sent: Wednesday, June 13, 2001 5:19 PM
To: Sven Olensky
Cc: snort-users () lists sourceforge net
Subject: Re: FW: [Snort-users] snort & logging

Sven Olensky wrote:

please advise.


Please read README.

-- 
Brian Caswell
The MITRE Corporation

Current thread:

snort & logging Sven Olensky (Jun 11)
- Re: snort & logging John Sage (Jun 11)
- <Possible follow-ups>
- RE: snort & logging Sven Olensky (Jun 11)
- FW: snort & logging Sven Olensky (Jun 13)
  - Re: FW: snort & logging Brian Caswell (Jun 13)
- RE: FW: snort & logging Sven Olensky (Jun 13)