Snort mailing list archives

Re: IP Address subdirectories

From: Joe McAlerney <joey () SiliconDefense com>
Date: Mon, 03 Dec 2001 13:15:19 -0800

Well, your syntax is correct.  There doesn't seem to be anything in your
command line options that would indicate alert_full is being
overridden.  If you user was non-root, it may be that they don't have
write access to /var/log/snort.  I don't think the group affects this.

I would try the following for testing purposes.

1) remove the -m option
2) Try placing the output alert_full: after the database plugin
configuration.

Post back if you find anything out.

-Joe M.

-- 
Joe McAlerney
Software Developer / Security Consultant
joey () SiliconDefense com
Silicon Defense: IDS Solutions -=- http://www.silicondefense.com/

Phil Lyons wrote:


Hi,

Thank you for the response.

I have modified my snort.conf file by adding:

output alert_full: /var/log/snort/alert

as the first output plugin.

This is my attempt to get normal IP based directory format by looking
at the other output directives.  Did I understand this correctly?

After adding this to my snort.conf file, the logging output has not
changed.  i.e., no IP directories are being created.

Thanks again,

Phil



-----cut


I see no subdirectories under /var/log/snort for IP addresses.


[...]


var HOME_NET any
output database: log, mysql, user=snort password=xxxxxxxx

dbname=snort

host=xx.x.x.x



You are using database logging so you are not doing the normal ip
based directory format. You can do that as well ( look at the other
output: ) directives in the snort.conf

--
Chris Green


----->cut



----------------------------------------------------------------------
Get your FREE download of MSN Explorer at http://explorer.msn.com
_______________________________________________ Snort-users mailing
list Snort-users () lists sourceforge net Go to this URL to change user
options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users
list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

IP Address subdirectories Phil Lyons (Nov 30)
- Re: IP Address subdirectories John Sage (Nov 30)
- Re: IP Address subdirectories Chris Green (Dec 02)
- <Possible follow-ups>
- Re: IP Address subdirectories Phil Lyons (Dec 03)
- Re: IP Address subdirectories Phil Lyons (Dec 03)
  - Re: IP Address subdirectories Joe McAlerney (Dec 03)
- RE: IP Address subdirectories Phil Lyons (Dec 03)
  - Re: IP Address subdirectories John Sage (Dec 03)
- Re: IP Address subdirectories Phil Lyons (Dec 04)
- Re: IP Address subdirectories Phil Lyons (Dec 06)
- Re: IP Address subdirectories Phil Lyons (Dec 07)