Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Strange effect splitting 'alert' to 'redalert' + 'logalert'

From: "Chr. v. Stuckrad" <stucki () math fu-berlin de>
Date: Tue, 27 Nov 2001 22:43:22 +0100
Hi!

May be I did something which is not meant to be used this way(?):

I wanted to have two levels of alerts and logs, so I decided
to use the user-dfined 'ruletype's like:
------------------------------- snip ----------------------------
ruletype logalert
{
   type alert
   output alert_syslog: LOG_LOCAL3 LOG_WARNING
   output alert_fast: /var/log/snort/logalert
   output log_tcpdump: /var/log/snort/snort.log.dump
}
------------------------------- snip ----------------------------
The 'redalert' is similar but has an higher log facility
and different filenames.

Then I decided which rule (originally 'alert') will become 'redalert'
or 'logalert', and if I did it correctly only those two kinds of rule
do exist now.

HERE Snort is:  Version 1.8.3 (Build 87)
has flexresponse but not yet databases and uses syslog so far.
runs on LINUX (SuSE-7.2) on a routers mirror-port.

What goes RIGHT is: syslog, alert_fast
What goes WRONG is: output_tcpdup

Is there a way to append instead of write from beginning of the file
when snort restarts? (It seems to always begin from empty file).

Somehow it seems as if not *every* alerting packet(contents) is logged,
I often do not find a packet in those files, even if alert_fast did tell
me it's from and to addresses...

And besides this, portscans are logged to some other/own default file,
which is acceptable so far :-)

Any Ideas what I missed from 'snort.pdf' (may be it does nat explain
something as of version *.3 and I'd rather read sources?)

Thanks a lot,      Stucki

-- 
Christoph von Stuckrad       * *  | nickname  | <stucki () math fu-berlin de> \
Freie Universitaet Berlin    |/_* | 'stucki'  | Tel(days):+49 30 838-75 459 |
Fachbereich Mathematik, EDV  |\ * | if online | Tel(else):+49 30 77 39 6600 |
Arnimallee 2-6/14195 Berlin  * *  | on IRCnet | Fax(alle):+49 30 838-75454 /

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: