Re: How do I supress file-logging but not database-logging?

[Martin Olsson <elof () sentor se>]

On Wed, 21 Jan 2004, Bamm Visscher wrote:
> Okay, first you need to understand what is going. Snort has two output facilities: ALERT and LOG
> If you don't define a mechanism for handling each of these, the snort will use the defaults. For ALERT, the default 
> is the alert file (/var/log/snort/alert). For LOG, the default is those funky ip addr directories.
>
> In your conf file, you are using:
>   output database: log, mysql, user=$DB_USER password=$DB_PASSWORD
> which attaches the database output mechanism to the LOG facility.

Yes, I use the LOG facility because I want tagged packets to be logged to
ACID. If I recall correctly, the tagging system uses the LOG facility.

> This:
>   output datbase: alert, mysql, blah
> would attach it to the ALERT facility.
> Now, to turn of default LOG you use the -N switch.

Ok, so my problem is that you can't distinguish between what you want to
turn off using the -N switch (as you can with -A). "-N" disables the
entire LOG facility. I guess I needed it to disable just the
/var/log/alert part and leave the database part running.

/Martin




> On Wed, Jan 21, 2004 at 01:58:50PM +0100, Martin Olsson wrote:
> > On Wed, 21 Jan 2004, Dirk Geschke wrote:
> > > > I can't get snort to stop logging to file.
> > > > With '-A none' it is stopped, but this also stop the logging to mysql.
> > > the -A option overwrites the output plugins in snort.conf.
> > >
> > > Try instead the option '-N', this will suppress any normal reporting but
> > > the output plugins will still work.
> >
> > That didn't help.
> >
> > snort.conf:
> > config logdir: /usr/sentor/log
> > config alert_with_interface_name
> > config umask: 022
> > config checksum_mode: none
> > config show_year
> > config interface: em1
> > config detection: search-method ac
> > config threshold: memcap 131072
> > config nolog
> > output database: log, mysql, user=$DB_USER password=$DB_PASSWORD
> > dbname=$DB_NAME host=$DB_HOST sensor_name=$SENSOR_NAME
> > config order: pass activation dynamic alert log
> > config reference: sentor http://10.242.2.13/sid/
> > config classification: unknown,Unknown Traffic,3
> > alert tcp any any -> any any (msg:"flash - tcp syn";
> > reference:sentor,9000000.txt; classtype:unknown; sid:9000000; rev:1;)
> >
> > That's all. I just have one single rule.
> >
> >
> >
> > ===== First try: =====
> > /snort -T -c snort.conf -N -u snort -g snort
> > Running in IDS mode
> > Log directory = /var/log/snort
> > ERROR:
> > [!] ERROR: Can not get write access to logging directory "/var/log/snort".
> > (directory doesn't exist or permissions are set incorrectly
> > or it is not a directory at all)
> >
> > Fatal Error, Quitting..
> >
> > ===== Second try: =====
> > (I point out a directory even though I don't want to log anything to it)
> > snort -T -c snort.conf -N -l /usr/sentor/log -u snort -g snort
> > Running in IDS mode
> > Log directory = /usr/sentor/log
> >
> > Initializing Network Interface ed1
> >
> >         --== Initializing Snort ==--
> > Initializing Output Plugins!
> > Decoding Ethernet on interface ed1
> > Initializing Preprocessors!
> > Initializing Plug-ins!
> > Parsing Rules file /usr/sentor/etc/snort.conf.flash_catch_all
> >
> > +++++++++++++++++++++++++++++++++++++++++++++++++++
> > Initializing rule chains...
> > Found logdir config directive (/usr/sentor/log)
> >
> > Initializing Network Interface ed1
> > database: compiled support for ( mysql )
> > database: configured to use mysql
> > database:          user = flash
> > database: password is set
> > database: database name = catch_all
> > database:          host = 10.242.2.10
> > database:   sensor name = flash
> > database:     sensor id = 1
> > database: schema version = 106
> > database: using the "log" facility
> > 1 Snort rules read...
> > 1 Option Chains linked into 1 Chain Headers
> > 0 Dynamic rules
> > +++++++++++++++++++++++++++++++++++++++++++++++++++
> >
> >
> > +-----------------------[thresholding-config]----------------------------------
> > | memory-cap : 131072 bytes
> > +-----------------------[thresholding-global]----------------------------------
> > | none
> > +-----------------------[thresholding-local]-----------------------------------
> > | none
> > +-----------------------[suppression]------------------------------------------
> > | none
> > -------------------------------------------------------------------------------
> > Rule application order: ->pass->activation->dynamic->alert->log
> >
> >         --== Initialization Complete ==--
> >
> > -*> Snort! <*-
> > Version 2.1.1-RC1 (Build 16)
> > By Martin Roesch (roesch () sourcefire com, www.snort.org)
> > ERROR: OpenAlertFile() => fopen() alert file /usr/sentor/log/alert:
> > Permission denied
> > Fatal Error, Quitting..
> >
> > It still wants to open a file! Is it not possible to turn this off?
> >
> > /Martin



-------------------------------------------------------
The SF.Net email is sponsored by EclipseCon 2004
Premiere Conference on Open Tools Development and Integration
See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
http://www.eclipsecon.org/osdn
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users