Snort mailing list archives

Re: Same question again..

From: "C Boss" <cboss99 () hotmail com>
Date: Tue, 28 May 2002 16:57:08 -0400

This is how I startup Snort:

/usr/local/snort -b snort.conf -i eth0 -D

THis is how the relevant part of my snort.conf looks like:

output alert_syslog: LOG_LOCAL7 LOG_ALERT

output log_tcpdump: snort.log

From: John Sage <jsage () finchhaven com>
To: C Boss <cboss99 () hotmail com>
CC: snort-users () lists sourceforge net
Subject: Re: [Snort-users] Same question again..
Date: Sat, 25 May 2002 10:36:36 -0700

On Linux 2.2.14, snort 1.8.4 build 99, I'm doing this:

Command line:

/usr/bin/snort184 -b -i ppp0 -o -c /usr/local/snort-1.8.4/snort184.conf

Relevant snort.conf:

<snip>
# alert_syslog: log alerts to syslog
# ----------------------------------
# Use one or more syslog facilities as arguments
#
# output alert_syslog: LOG_AUTH LOG_ALERT

output alert_syslog: LOG_DAEMON LOG_ALERT
# keep as from 1.8.2 - this is FACILITY-LEVEL, I believe..
# -------------------------------------------------
# output alert_full

output alert_full: /var/log/snort/alert184.full

# keep as from 1.8.2 # attempted in snort182.conf for snort 1.8.2 11/25/01- works ;-)

# attempted in snort18REL.conf for snort 1.8.1-RELEASE
# hasn't been shown in snort.conf for several releases: works as from 1.7
<snip>


This binary logs to this sort of a file, for example:

4678983 May 20 15:19 snort-0520 () 0722 log


and alerts go to this sort of a file:

11226 May 20 15:14 alert184.full-0520 () 0722 log


and syslog get alerts, and logcheck picks them up, thus:

<snip>
Security Violations
=-=-=-=-=-=-=-=-=-=
May 20 15:14:35 greatwall snort: [1:0:0] TCP to 1433 MS MySQL server {TCP}
+211.202.3.249:2986 -> 12.82.133.65:1433
<snip>


So this works for me...

YMMV..


- John
--
You simply can never have too many shells

PGP key      http://www.finchhaven.com/pages/gpg_pubkey.html
Fingerprint  FE 97 0C 57 08 43 F3 EB 49 A1 0C D0 8E 0C D0 BE C8 38 CC B5



On Thu, May 23, 2002 at 03:36:46PM -0400, C Boss wrote:

> Guys, help me out here please. This is the second time I have put outthis

> question. Is the question plain stupid or do you need more information.
> Please let me know.
>

> "I want to log in a binary format and thus am using the -b option. I amalso> logging all alerts to syslog. So I have something like LOG_LOCAL7LOG_ALERTS

> in the snort.conf file.
>
> The problem is that if I use the -b oprion with Snort, I don't see any
> alerts in the syslog.
>
> Do the two don't work together ?"
>
> Thanks.





_________________________________________________________________

MSN Photos is the easiest way to share and print your photos:http://photos.msn.com/support/worldwide.aspx



_______________________________________________________________

Don't miss the 2002 Sprint PCS Application Developer's Conference
August 25-28 in Las Vegas -- http://devcon.sprintpcs.com/adp/index.cfm

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Same question again.. C Boss (May 25)
- Re: Same question again.. John Sage (May 25)
- Re: Same question again.. Bamm Visscher (May 25)
- Re: Same question again.. Erek Adams (May 25)
- <Possible follow-ups>
- Re: Same question again.. C Boss (May 29)
  - Re: Same question again.. Erek Adams (May 28)