Re: Spade ---What gives

[Erek Adams <erek () theadamsfamily net>]

On Wed, 13 Mar 2002 bthaler () webstream net wrote:

> Just to confirm, because neither FAQ is clear on this:
> I can have both:
> output database: alert, mysql, user=snort, dbname=snort_log host=localhost
> password=foo
> output database: log, mysql, user=snort, dbname=snort_log host=localhost
> password=foo
> at the same time, right?

Right.  What does make it a bit clearer is the Snort Users Manual (in both
HTML and PDF on snort.org).

> I changed my "log" to "alert" and the number of alerts dropped from about
> 1000 per hour to about 200... So I'm assuming that "alert" doesn't include
> "log".

Well....  There is a difference.  This should explain it:

        http://www.theadamsfamily.net/~erek/snort/logging_methods.txt

> Right now, I'm using both "alert" and "log".  Does it matter which is listed
> first in the snort.conf?

Snort reads the .conf from the top down.  So if log is first, it will "log"
first.  If alert is, then it "alerts" first.

Now, the question you seem to be asking is "Will it matter to the DB as what
I've order I have them in?"  In the last paragraph of that email Marty sums it
up:  "What this means in practical terms is that if the db plugin is in alert
mode, it will only receive output from alert rules, whereas if it's in 'log'
mode it will receive output from both log and alert rules."

> Thanks for all the help, BTW.

No problems!  They don't call me the 'Snort Janitor' for nothing. ;-)

Hope it helps!

-----
Erek Adams
Nifty-Type-Guy
TheAdamsFamily.Net



_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users