Snort mailing list archives

RE: Snort 1.9, RH 7.3 and Acid

From: "Beckett, Josh" <JBeckett () enviance com>
Date: Tue, 8 Oct 2002 08:37:47 -0700

From the reference [0] below:


"What this means in practical terms is that if the db plug-in
is in alert mode, it will only receive output from alert rules, whereas
if it's in "log" mode it will receive output from both log and alert
rules."

Great...but how do you tell if the plug-in is in alert mode or log mode?
Strictly speaking, there was no mention of such a setting in the setup
doc that I got from the snort site.  Additionally, that doesn't make
sense.  The DB simply listens for an authorized user to insert some
data.  It has no "mode."  (Maybe it is a reference to the setting that
you are changing in the snort.conf file...._shrug_)

I checked both links and neither gave me any appreciable information
over the doc that I used for setup.
http://www.snort.org/docs/snort-rh7-mysql-ACID-1-5.pdf

Thanks for the attempt though.  The discussion about the difference
between log and alert settings is interesting, but it seems to me that
the settings are more geared toward syslog-type logging rather than db.
The alert setting did start producing output, yet the log setting does
not.  This is somewhat interesting (esp. since the log setting worked in
1.8.7 but not in 1.9.0), as the log setting should be noisier due to the
fact that it should log all packets to the db, yet the db only seems to
get info if snort is given the alert setting.

-----Original Message-----
From: Erek Adams [mailto:erek () theadamsfamily net] 
Sent: Monday, October 07, 2002 10:15 AM
Subject: RE: [Snort-users] Snort 1.9, RH 7.3 and Acid

On Mon, 7 Oct 2002, Slighter, Tim wrote:

Changing it from 'alert' to 'log' has nothing to do with the rules, it

only has to do with the output facility.  Marty gives a nice breakdown
of it in a old message[0] to the list.

[0]     http://www.theadamsfamily.net/~erek/snort/logging_methods.txt
[1]     http://acidlab.sourceforge.net/acid_config.html



-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Snort 1.9, RH 7.3 and Acid Beckett, Josh (Oct 04)
- Re: Snort 1.9, RH 7.3 and Acid Addam Schroll (Oct 04)
- <Possible follow-ups>
- RE: Snort 1.9, RH 7.3 and Acid Beckett, Josh (Oct 04)
- RE: Snort 1.9, RH 7.3 and Acid Slighter, Tim (Oct 07)
  - RE: Snort 1.9, RH 7.3 and Acid Erek Adams (Oct 07)
- RE: Snort 1.9, RH 7.3 and Acid Beckett, Josh (Oct 07)
- RE: Snort 1.9, RH 7.3 and Acid Kevin Brown (Oct 07)
- RE: Snort 1.9, RH 7.3 and Acid Beckett, Josh (Oct 08)
  - RE: Snort 1.9, RH 7.3 and Acid Erek Adams (Oct 08)