Snort mailing list archives

Previous By Date Next
Previous By Thread Next

FW: Asking Snort to do too much?

From: "Lance Lloyd" <lance.lloyd () atlasdmt com>
Date: Fri, 22 Aug 2003 14:51:57 -0700
Question too vague?

-----Original Message-----
From: Lance Lloyd 
Sent: Thursday, August 21, 2003 12:33 PM
To: Snort (E-mail)
Subject: Asking Snort to do too much?


So here's my dilemma.  I want Snort to log to a total of 3 places, a Mysql DB, and two different syslogs.  I want all 
alerts to be sent to the DB and one of the logs.  I have a custom ruletype that I would like to log to the 2nd syslog. 
The problem I am having is that all alerts are being sent to both syslogs.  I've tried using different facilities and 
different priorities for them, but it still wants to send to both.  Below are the configuration options I'm using.


Here's the relevant part of my conf file:


output alert_syslog: LOG_LOCAL5 LOG_ALERT

output database: log, mysql, user=snort dbname=snort2 host=10.17.0.41 sensor_name=OutsideCorpFirewall

ruletype sev1
{
  type alert
  output alert_syslog: LOG_LOCAL5 LOG_CRIT
  output database: log, mysql, user=snort dbname=snort host=10.17.0.41 sensor_name=OutsideCorpFirewall
  output database: log, mysql, user=snort dbname=snort2 host=10.17.0.41 sensor_name=OutsideCorpFirewall
}


And the relevant part of my syslog.conf

#Snort
#local5.*                                                /var/log/snort
local5.alert                                            @10.17.0.41
local5.crit                                             @10.17.9.18

Can't think of anything I haven't tried.  Thanks in advance.

Lance


-------------------------------------------------------
This SF.net email is sponsored by: VM Ware
With VMware you can run multiple operating systems on a single machine.
WITHOUT REBOOTING! Mix Linux / Windows / Novell virtual machines
at the same time. Free trial click here:http://www.vmware.com/wl/offer/358/0
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: