Re: snort-1.8.7 and alert file

["Michael Scheidell" <scheidell () secnap net>]

""Andrew R. Baker"" <andrewb () snort org> wrote in message
news:3D46B227.4010205 () snort org...
> get rid of the log_null and the "-N" on the commandline.  Instead add
> "-A none" to your commandline to turn off the alerting.  The unified log
> file will contain the alert data *and* the packet logs.

I have attempted, on many versions of both snort and barnyard to have one
copy of snort and barnyard do both the log and alert files.

I have ended up needing one copy of snort (which outputs TWO unified files)
and two copies of barnyard with two different config files.

What I would want to do is to have snort create a unified file with both log
and alerts in it.

Seems to be able to do that (i think) but I don't know how to verity that
this file has logs AND alerts in it.

/usr/local/bin/snort -doDI -m 022 -z \
-c /usr/local/etc/snort.conf -i rl0 -A none
(using -l /var/log/snort instead of -A none only creats a 'alerts' file from
snort, not barnyard)

snort.conf: (its all in /var/log/snort/log.* right?)

#output alert_unified: filename /var/log/snort/alert, limit 128
output log_unified: filename /var/log/snort/log, limit 128

-rw-r--r--  1 root  wheel     1386 Aug  2 10:37 log.1028298969

seems to process the 'log.*' file and log plugins fine, but not the alert
ones:
Loading Data Processors...
dp_alert loaded
dp_log loaded
dp_stream_stat loaded
Loading Built-in Output Plugins...
Fast Alert plugin initialized
AlertSyslog initialized
Log Dump plugin initialized
LogPcap initialized
AcidDb output plugin initialized
AlertCSV initialized

config daemon
config interface: LAN
config filter: not localhost
processor dp_alert
processor dp_log
output alert_fast: /var/log/snort/fast.alert
processor dp_stream_stat
output alert_csv: /var/log/snort/fast.csv  protoname,timestamp,srcip,sport
output log_acid_db:  mysql, sensor_id 1, database snort,

Neither the fast.alert file, nor the csv file are updated.

not when run in daemon mode, nor one shot:
-rw-r--r--  1 root  security     1386 Aug  2 10:37 log.1028298969
drwxr-xr-x  2 root  security     1024 Aug  2 10:37 archive
-rw-r--r--  1 root  security  2333429 Aug  1 00:44 fast.alert


Aug  2 10:44:47 scanner barnyard: Args: mysql, sensor_id 1, database snort,
server localhost, user root, detail full
Aug  2 10:44:47 scanner barnyard: Initializing daemon mode
Aug  2 10:44:47 scanner barnyard: Barnyard Version 0.1.0-rc2 (Build 11)
started
Aug  2 10:44:47 scanner barnyard: AcidDbOpStart
Aug  2 10:44:47 scanner barnyard: OpAcidDB configuration details
Aug  2 10:44:47 scanner barnyard: Database Flavour: mysql
Aug  2 10:44:47 scanner barnyard: Detail Level: Full
Aug  2 10:44:47 scanner barnyard: Database Server: localhost
Aug  2 10:44:47 scanner barnyard: Database User: root
Aug  2 10:44:47 scanner barnyard: SensorID: 1
Aug  2 10:44:47 scanner barnyard: AcidDbOpStart Complete
Aug  2 10:44:47 scanner barnyard: Number of records:  2
Aug  2 10:44:47 scanner barnyard: Exiting
Aug  2 10:44:47 scanner barnyard: AcidDbOpStop




-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users