Re: Upgrade of Snort

[Bamm Visscher <bamm.visscher () gmail com>]

Snort has two output facilities: "alert" and "log". Each facility is
assigned a default output format if none is specified. For the alert
facility the default is the /var/log/snort/alert file, for the log
facility, it is those funky addr:port files in /var/log/snort. By
using "output database: log" you have changed the log facility from
the default, to using the DB, but you have done nothing with the alert
facility. Since alert calls log (as long as the function was called
with a pointer to a packet), you can safely turn off any alert output
by using '-A none' (and -N would turn off any log output).

Bammkkkk



----- Original Message -----
From: O'Flynn, Derek <doflyn () lsuhsc edu>
Date: Fri, 24 Sep 2004 16:57:35 -0500
Subject: RE: [Snort-users] Upgrade of Snort
To: "snort-users () lists sourceforge net" <snort-users () lists sourceforge net>

 
 

An update, 

  

I found the problem, on a hunch I checked /var/log/snort and noticed a
big ol' file sitting there.  So I deleted it...problem fixed.  Why is
snort logging to this file when I have it configured to replicate the
events to a db?

  
 

Derek O'Flynn 

Enterprise Information Security 

LSU Health Sciences Center 

doflyn () lsuhsc edu (504)568-6130 
 
 ________________________________
 

-- 
sguil - The Analyst Console for NSM
http://sguil.sf.net


-------------------------------------------------------
This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170
Project Admins to receive an Apple iPod Mini FREE for your judgement on
who ports your project to Linux PPC the best. Sponsored by IBM.
Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users