Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Snort, Demarc and excessive logging

From: Ralf Hildebrandt <Ralf.Hildebrandt () charite de>
Date: Tue, 16 Apr 2002 16:27:05 +0200
I got snort & demarc working together nicely. One problem though:

On each sensor I have in /var/log/snort duplicate logs and packet
traces that ALSO went to the mysql used by demarc.

Somehow snort must be logging BOTH locally and to the mysql db.

The config /usr/local/demarc/conf/snorteth1.conf:

preprocessor frag2
preprocessor stream4: noalerts
preprocessor stream4_reassemble
preprocessor http_decode: 80 -unicode -cginull
preprocessor rpc_decode: 111
preprocessor bo: -nobrute
preprocessor telnet_decode
preprocessor portscan: $HOME_NET 16 12 portscan.log
preprocessor portscan-ignorehosts: $HOME_NET

output database: alert, mysql, user=snort dbname=snort password=xxx host=xxx.xxx.xxx.xxx sensor_name=cia

... snip ...
alert rules and classifications follow

Snort-1.8.6 itself runs using:
/usr/sbin/snort -o -q -u snort -g snort -z est -i eth1 -c /usr/local/demarc/conf/snorteth1.conf

-- 
Ralf Hildebrandt (Im Auftrag des Referat V A)   Ralf.Hildebrandt () charite de
Charite Campus Virchow-Klinikum                 Tel.  +49 (0)30-450 570-155
Referat V A - Kommunikationsnetze -             Fax.  +49 (0)30-450 570-916
To a database person, every nail looks like a thumb. Or something like that. 


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: