Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: FW: Asking Snort to do too much?

From: Erek Adams <erek () snort org>
Date: Mon, 25 Aug 2003 12:00:31 -0400 (EDT)
On Fri, 22 Aug 2003, Lance Lloyd wrote:


Question too vague?


No.  I just thought someone else might chime in, since I was feeling lazy.


So here's my dilemma.  I want Snort to log to a total of 3 places, a
Mysql DB, and two different syslogs.  I want all alerts to be sent to
the DB and one of the logs.  I have a custom ruletype that I would like
to log to the 2nd syslog. The problem I am having is that all alerts are
being sent to both syslogs.  I've tried using different facilities and
different priorities for them, but it still wants to send to both.
Below are the configuration options I'm using.


Here's the relevant part of my conf file:


output alert_syslog: LOG_LOCAL5 LOG_ALERT

output database: log, mysql, user=snort dbname=snort2 host=10.17.0.41
sensor_name=OutsideCorpFirewall

ruletype sev1
{
  type alert
  output alert_syslog: LOG_LOCAL5 LOG_CRIT
  output database: log, mysql, user=snort dbname=snort host=10.17.0.41
  sensor_name=OutsideCorpFirewall
  output database: log, mysql, user=snort dbname=snort2 host=10.17.0.41
  sensor_name=OutsideCorpFirewall
}


And the relevant part of my syslog.conf

#Snort
#local5.*                                                /var/log/snort
local5.alert                                            @10.17.0.41
local5.crit                                             @10.17.9.18

Can't think of anything I haven't tried.  Thanks in advance.


A couple of things.

*  Try running two instances of Snort.  One with one config and the other
with a second.  Only one logs to the second db and second syslog.

*  For a test, try having both local5.alert and local5.crit log to a local
file on the box.  Check to make sure that the syslog can separate the two.
Make sure that it doesn't have a wierd way of sending *.alert and above to
one file.

Cheers!

-----
Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson


-------------------------------------------------------
This SF.net email is sponsored by: VM Ware
With VMware you can run multiple operating systems on a single machine.
WITHOUT REBOOTING! Mix Linux / Windows / Novell virtual machines
at the same time. Free trial click here:http://www.vmware.com/wl/offer/358/0
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: