RE: Dual Alerts ?

["L. Christopher Luther" <CLuther () Xybernaut com>]

In earlier Win32 versions of Snort (prior to 2.0 rc3 or so?!), the '-s'
parameter (at least in Win32) was somewhat busted, but I understand that
it's been fixed.  I also seem to remember posts on this list about '-s'
being busted in non-Win32 platforms, but again, I think it's now fixed.  

As a FYI:  I patched my 1.8.7 and 1.9.0 versions so that '-s' didn't
override the output plugin statements in snort.conf.  

So, are you still getting duplicate (dual) alerts in ACID and syslog or is
everything straight now?  

- Christopher 


-----Original Message-----
From: David Markle [mailto:davidmarkle () comcast net]
Sent: Monday, April 14, 2003 6:57 PM
To: L. Christopher Luther
Cc: Snort-Users (E-mail)
Subject: RE: [Snort-users] Dual Alerts ?


I was under the impression that the command line argument for syslog
overrides the snort.conf file settings, therefore strayed from that
approach.  Although working you your suggestion, I (had) the following:

output alert_syslog: LOG_local1 LOG_ALERT
output database: alert, mysql, user=root password=mypwd dbname=snort
host=localhost 

In my local syslog.conf, I have remote logging to another host from the
local1 facility.  I bit convoluted, but functional.

-----Original Message-----
From: L. Christopher Luther [mailto:CLuther () Xybernaut com]
Sent: Monday, April 14, 2003 1:37 PM
To: 'davidmarkle () comcast net'
Cc: Snort-Users (E-mail)
Subject: RE: [Snort-users] Dual Alerts ?


Hi, David.  

I run two Snort sensors in a Win32 environment.  Both sensors "log" to MySQL
and also alert to two separate end-points:  syslog and a text file.  My
output statements in snort.conf look like:  

  output alert_fast: alert.ids 
  output database: log, mysql, host=somehost port=3306 dbname=snortdb
user=snort 
                   password=somepassword sensor_name=sensor1 encoding=hex
detail=Full 
  output alert_syslog: LOG_AUTHPRIV LOG_ALERT 

My syslog server is a remote server, and I specify the address of that
server using the '-s ipaddr:514' command line parameter for Snort.  

I get no duplicate alerts.  So what are the exact output statements you're
using in snort.conf, and what is the command line you're using to start
Snort?  

- Christopher 


-----Original Message----- 
From: David Markle [mailto:davidmarkle () comcast net] 
Sent: Sunday, April 13, 2003 9:44 PM 
To: snort-users 
Subject: [Snort-users] Dual Alerts ? 


I would really like to have TWO working OUTPUT PLUGINS: (Databases and
Syslog).  From what I have determined, two Syslog FACILITIES are used
(auth.notice and daemon.notice).  The auth.notice (which is configurable in
the snort.conf) is used for alerts and daemon.notice is used for snort
start/stop etc.  

Both output plugins are important because I want Syslog to a remote host and
the database output plug for ACID.  The problem is, I'm getting dual alerts
in both ACID and Syslog and do not know why, (other than two output plug
entries in the .conf file - duh).  Can't the output plugs fork the data
independently ?  Is this a limitation of the product or my knowledge ??

Thanks in advance. 

David Markle 




------------------------------------------------------- 
This SF.net email is sponsored by: Etnus, makers of TotalView, The debugger 
for complex code. Debugging C/C++ programs can leave you feeling lost and 
disoriented. TotalView can help you find your way. Available on major UNIX 
and Linux platforms. Try it free. www.etnus.com 
_______________________________________________ 
Snort-users mailing list 
Snort-users () lists sourceforge net 
Go to this URL to change user options or unsubscribe: 
https://lists.sourceforge.net/lists/listinfo/snort-users 
Snort-users list archive: 
http://www.geocrawler.com/redir-sf.php3?list=snort-users