RE: snort & logging

[Sven Olensky <sol () intelispan net>]

how if I would like to redirect the output file written to the "log" file to
the "alerts" file? I cannot find a setting anywhere.

thanks!

> -----Original Message-----
> From: John Sage [mailto:jsage () finchhaven com]
> Sent: Monday, June 11, 2001 3:41 PM
> To: Sven Olensky
> Cc: snort-users () lists sourceforge net
> Subject: Re: [Snort-users] snort & logging
>
>
> Sven:
>
> Logging and alerts are two different animals.
>
> At least in a rules file (this is my tcp-local-lib..) you can do this:
>
> #
> alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"TCP to 25 smtp";)
> #
> log tcp $EXTERNAL_NET 25 -> $HOME_NET any (msg:"TCP from 25 smtp";)
> # alert to, log from
>
> (Actually I don't thing the (msg: ... ) does anything in the 
> log line...
>
> So tcp coming in to *my* port 25 generates an alert, but I'm just 
> logging everything that's *from* port 25
>
> HTH..
>
> - John
>
> Sven Olensky wrote:
>
> > I know, I know I bet a million people have encountered this 
> before, but 
> > I have to ask it, since I am just plainly clueless about 
> how to go about 
> > this:
> >
> > how exactly do I switch snort to logging into the alerts 
> file rather 
> > than the log file.. can you guys give me the complete line 
> I have to 
> > insert into snort.conf for that, please? I cant figure it out.
> >
> > preprocessor output..... and what then?
> >
> > thanks!
> >
> > please cc sol () intelispan net, since I am not a regular subscriber.
>
>
> -- 
> John Sage
> FinchHaven, Vashon Island, WA, USA
> http://www.finchhaven.com/
> mailto:jsage () finchhaven com
> "The web is so, like, five minutes ago..."