Re: snort & logging

[John Sage <jsage () finchhaven com>]

Sven:

Logging and alerts are two different animals.

At least in a rules file (this is my tcp-local-lib..) you can do this:

#
alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"TCP to 25 smtp";)
#
log tcp $EXTERNAL_NET 25 -> $HOME_NET any (msg:"TCP from 25 smtp";)
# alert to, log from

(Actually I don't thing the (msg: ... ) does anything in the log line...

So tcp coming in to *my* port 25 generates an alert, but I'm just 
logging everything that's *from* port 25

HTH..

- John

Sven Olensky wrote:

> I know, I know I bet a million people have encountered this before, but 
> I have to ask it, since I am just plainly clueless about how to go about 
> this:
>
> how exactly do I switch snort to logging into the alerts file rather 
> than the log file.. can you guys give me the complete line I have to 
> insert into snort.conf for that, please? I cant figure it out.
>
> preprocessor output..... and what then?
>
> thanks!
>
> please cc sol () intelispan net, since I am not a regular subscriber.


--
John Sage
FinchHaven, Vashon Island, WA, USA
http://www.finchhaven.com/
mailto:jsage () finchhaven com
"The web is so, like, five minutes ago..."


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users