Snort mailing list archives

RE: disable /var/log/snort logging

From: "Nick White" <nwhite () avidbio com>
Date: Thu, 8 May 2003 09:10:42 -0700

Thanks LCL for your suggestions and documentation references.  I now
better understand how snort treats alerts verses logs.  I've tried your
suggestion with the following line in my snort.conf:
output database: alert, mysql, log_null, user=snortusr password=fakepass
dbname=snort host=localhost

But it's still alerting to /var/log/snort.  Whenever I use the -N option
to start snort, it still alerts, but doesn't log any of the packet data.


Snort is starting with -u snort -g snort -d -D -b -c
/etc/snort/snort.conf.  I've tried removing -b, but it still alerts to
disk.  Any other suggestions that I can try?

Thanks again,
NW

-----Original Message-----
From: L. Christopher Luther [mailto:CLuther () Xybernaut com] 
Sent: Wednesday, May 07, 2003 8:49 PM
To: Nick White
Cc: snort-users () lists sourceforge net
Subject: RE: [Snort-users] disable /var/log/snort logging


Nick,  

Snort uses two output facilities - one for alerts and one for logs [0]
(a
must read).  Your snort.conf only specifies an output facility for the
alerts, so I'm thinking that Snort therefore falls back to its 'default'
logging facility (i.e., /var/log).

From what I've read and understand, you have two choices:


1)  '-N' on the command line (yes, I know you said it didn't work) 
2)  In snort.conf, add a 'output log_null' after the 'output database:
alert
...' 

Also: "Note that command line logging options override any output
options
specified in the configuration file. This allows debugging of
configuration
issues quickly via the command line." [1]  

This could be why specifying '-N' on the command line disables the
output
plugin for MySQL.  Try the 'output log_null' in snort.conf and let us
know
what happens.  


HTH, 

Christopher  

[0] http://www.theadamsfamily.net/~erek/snort/logging_methods.txt
[1] http://www.snort.org/docs/writing_rules/chap1.html#tth_sEc1.4.1


-----Original Message-----
From: Nick White [mailto:nwhite () avidbio com]
Sent: Wednesday, May 07, 2003 7:48 PM
Cc: snort-users () lists sourceforge net
Subject: RE: [Snort-users] disable /var/log/snort logging


You're right, the -N option turns off packet logging.  Sure it doesn't
write to the disk, but it turns off packet logging within mysql as well
- not cool.  Surely there is a way to have snort log everything to mysql
(even packet logging), without dumping data to the hard drive.  I just
can't figure out how.  I'm starting snort with -b (binary logging)
option, which takes care of it crashing after a few minutes under a
really heavy load.  Even still, logging to the disk is a total waste
because I'll never do anything with the binary logs.

-----Original Message-----
From: Anderson Johnston [mailto:andy () umbc edu] 
Sent: Tuesday, May 06, 2003 3:36 PM
To: Nick White
Cc: snort-users () lists sourceforge net
Subject: Re: [Snort-users] disable /var/log/snort logging


The -N option should suppress logging (while allowing alerts).

Caveats:
        1. I don't know if it will stop logs to mysql, too.
        2. The option doesn't seem to be working on my
                system  (Solaris 8) under Snort 2.0.

                                        - Andy

On Tue, 6 May 2003, Nick White wrote:

Hi All,
I'm fairly new with snort, so go easy on me.  I'm running snort and
logging to mysql just fine.  The problem is, it's also logging to
/var/log/snort.  I need to figure out how to disable this logging to
disk.  I've looked at all the switches, and I can't seem to figure it
out.  I tried -A none, but then it stopped alerting to mysql.  I also
tried -l /dev/null, but it didn't like that one.

Snort starts as a service via:
/usr/local/bin/snort -u snort -g snort -d -D -c /etc/snort/snort.conf

In snort.conf, I log to mysql with:
output database: alert, mysql, user=snortusr password=fakepass
dbname=snort host=localhost

I'm trying to kill snort with as much data as I can throw at it, and

it

always dies after a few minutes with:
May  6 14:54:34 localhost snort: FATAL ERROR: OpenLogFile() =>
fopen(/var/log/snort/10.10.1.30/UDP:138-138) log file: Not a directory

But I KNOW that the snort user has full permission to /var/log/snort.
But I don't need logging to disk.  It's a waste.  I only want it to

log

to mysql.

Thanks for your help!
- nick white


-------------------------------------------------------
Enterprise Linux Forum Conference & Expo, June 4-6, 2003, Santa Clara
The only event dedicated to issues related to Linux enterprise

solutions

www.enterpriselinuxforum.com

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list


------------------------------------------------------------------------
------
** Andy Johnston (andy () umbc edu)          *            pager:
410-678-8949  **
** Manager of IT Security                 * PGP key:(afj2002)
4096/8448B056 **
** Office of Information Technology, UMBC *   4A B4 96 64 D9 B6 EF E3 21
9A **
** 410-455-2583 (v)/410-455-1065 (f)      *   46 1A 37 11 F5 6C 84 48 B0
56 **
------------------------------------------------------------------------
------



-------------------------------------------------------
Enterprise Linux Forum Conference & Expo, June 4-6, 2003, Santa Clara
The only event dedicated to issues related to Linux enterprise solutions
www.enterpriselinuxforum.com

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


-------------------------------------------------------
Enterprise Linux Forum Conference & Expo, June 4-6, 2003, Santa Clara
The only event dedicated to issues related to Linux enterprise solutions
www.enterpriselinuxforum.com

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

disable /var/log/snort logging Nick White (May 06)
- Re: disable /var/log/snort logging Anderson Johnston (May 06)
- <Possible follow-ups>
- RE: disable /var/log/snort logging Nick White (May 07)
  - Re: disable /var/log/snort logging Bamm Visscher (May 08)
- RE: disable /var/log/snort logging Joesph Bowling (May 07)
- RE: disable /var/log/snort logging L. Christopher Luther (May 07)
- RE: disable /var/log/snort logging Nick White (May 08)
- RE: disable /var/log/snort logging Nick White (May 08)
  - Re: disable /var/log/snort logging Bamm Visscher (May 08)
- RE: disable /var/log/snort logging L. Christopher Luther (May 08)
- RE: disable /var/log/snort logging L. Christopher Luther (May 08)
- RE: disable /var/log/snort logging Nick White (May 08)