Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Question about output syntax...

From: Bob Hillegas <bobhillegas () pdq net>
Date: Mon, 20 Aug 2001 20:50:22 -0500 (CDT)
I am a new snort user. I've been following the traffic on this list for
several months now, and finally took the plunge at 1.8.1.

A recurring theme with newbies is "I'm using ipchains on ppp0 and don't
get any alerts". There is confusion in the list since February whether
snort will be screened out by ipchains on ppp0. So it's not surprising
that when I got no logging, I assumed that was the problem.

A recent posting claiming to to get logging on ppp0 behind ipchains made
me spend some time in the FAQ and the Snort Users Manual. It was still
unclear why I'm getting no logging inspite of receiving over 200 denied
packets this week on port 80. I have to assume the majority of these are
Code Red, but no alerts logged.

I am using 1.8.1-RELEASE (Build 74).
I am alternating (testing) snort.conf ruleset v1.62 2001/08/12 04:31:01
and vision18.conf ruleset Export date: 20010720.0730.

This afternoon, as a test, I changed
output alert_syslog: LOG_AUTH LOG_ALERT
to
output alert_syslog: LOG_AUTH LOG_INFO.

Since then, I've received 9 snort alerts logged to syslog, all of them
[1:0:0] IDS177/netbio_netbios-name-query. These have been interspersed
with DENY'd packets to port 80 which received no snort alerting.

That seems to lay to rest the theory of being blocked by ipchains. But it
raises the question of output syntax.

(Sorry, this is so long winded)

Q1: What is the effect on alert_syslog of LOG_ALERT versus LOG_INFO. Will
LOG_INFO give me more logging than LOG_ALERT or do I need both?

Q2: Ditto on output database <log | alert> .... The manual gives a
description of each argument EXCEPT the effect on logging by specifying
log or alert. Also, do I need both?

Any help you can offer will be appreciated.
thanks, BobH

-- 
-------------------------------------------------
Bob Hillegas
<bobhillegas () pdq net>
281.546.9311


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: