Snort mailing list archives
Snort, Demarc and excessive logging
From: Ralf Hildebrandt <Ralf.Hildebrandt () charite de>
Date: Tue, 16 Apr 2002 16:27:05 +0200
I got snort & demarc working together nicely. One problem though: On each sensor I have in /var/log/snort duplicate logs and packet traces that ALSO went to the mysql used by demarc. Somehow snort must be logging BOTH locally and to the mysql db. The config /usr/local/demarc/conf/snorteth1.conf: preprocessor frag2 preprocessor stream4: noalerts preprocessor stream4_reassemble preprocessor http_decode: 80 -unicode -cginull preprocessor rpc_decode: 111 preprocessor bo: -nobrute preprocessor telnet_decode preprocessor portscan: $HOME_NET 16 12 portscan.log preprocessor portscan-ignorehosts: $HOME_NET output database: alert, mysql, user=snort dbname=snort password=xxx host=xxx.xxx.xxx.xxx sensor_name=cia ... snip ... alert rules and classifications follow Snort-1.8.6 itself runs using: /usr/sbin/snort -o -q -u snort -g snort -z est -i eth1 -c /usr/local/demarc/conf/snorteth1.conf -- Ralf Hildebrandt (Im Auftrag des Referat V A) Ralf.Hildebrandt () charite de Charite Campus Virchow-Klinikum Tel. +49 (0)30-450 570-155 Referat V A - Kommunikationsnetze - Fax. +49 (0)30-450 570-916 To a database person, every nail looks like a thumb. Or something like that. _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort, Demarc and excessive logging Ralf Hildebrandt (Apr 16)