Snort mailing list archives

Re: Stupid question, as in I ought to know the answer to

From: Phil Wood <cpw () lanl gov>
Date: Tue, 25 Jun 2002 12:29:44 -0600

Well, I mis-spoke it turned out.  I took a closer look, and the type "log"
really did not work.  So, for now I write alerts to /dev/null and the red
alerts do go to syslog and I get everything in the binarylogfile.  
What I'm trying to do is cut down on the cpu devoted to unnessary stuff.
Any ideas on the right way to do this?

The only thing that works for me at this point is:

      output alert_fast: /dev/null  <<<< I don't want to see all the alerts
      output log_tcpdump: /some/full/path/to/binarylogfile
      ruletype redalert
      {
        type alert <<<<<  I just want the redalert's to show up immediately
        output alert_syslog: LOG_LOCAL5 LOG_DEBUG LOG_PERROR
      }

I post processes the binary file for the regular alerts at a later time.  

On Tue, Jun 25, 2002 at 10:35:09AM -0600, Phil Wood wrote:


Here is what I want to do:

  1. log alerts to binary file
  2. log "redalerts" to syslog
  3. DO NOT create an alert file (fast or full)
  
Here is what I did to get that to happen:

  1. put the following in my config file:

     output log_tcpdump: /some/full/path/to/binarylogfile

     ruletype redalert
     {
       type log  <<<--- notice not alert
       output alert_syslog: LOG_LOCAL5 LOG_DEBUG LOG_PERROR
     }

  2. start snort with the -A none option

This causes a WARNING:

WARNING: command line overrides rules file alert plugin!

However, I get the desired result, namely no alert file (fast or full format),
and syslogs for the few redalerts I want to know about instantly.

So, what could I do otherwise to get the desired result, and avoid the
WARNING?

Thanks,

Phil


-------------------------------------------------------
This sf.net email is sponsored by: Jabber Inc.
Don't miss the IM event of the season | Special offer for OSDN members! 
JabConf 2002, Aug. 20-22, Keystone, CO http://www.jabberconf.com/osdn
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


-- 
Phil Wood, cpw () lanl gov



-------------------------------------------------------
This sf.net email is sponsored by: Jabber Inc.
Don't miss the IM event of the season | Special offer for OSDN members! 
JabConf 2002, Aug. 20-22, Keystone, CO http://www.jabberconf.com/osdn
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Stupid question, as in I ought to know the answer to this. Phil Wood (Jun 25)
- Re: Stupid question, as in I ought to know the answer to Phil Wood (Jun 25)