Snort mailing list archives
Re: Unifed login plugin
From: Carlos Terrón <terron () arrakis es>
Date: Thu, 29 Mar 2007 16:35:44 +0200 (CEST)
Thanks Patrik My error, I have see the alert_unified and log_unified and I assumeed that the option also need an absolute path like the others. Now works fine. Thank you very much Greetings Carlos
Carlos, did you set the logdir in your snort.conf? config logdir: $SNORTDIR/log Regards, Patrik On Thursday 29 March 2007 16:25, Carlos Terrón wrote:Hi people I'm looking info for the unified login plugin implemented in spo_unified.cFrom the documentation of snort, the alerts and the log file aredifferentes i.e: output alert_unified: filename $SNORTDIR/log/usnort.alert output log_unified: filename $SNORTDIR/log/usnort.log These is configuration in the snort.conf, write the alerts in binary form to usnort.alert.timestamp and the packest to the usnort.log. Well, looking at the source code of spo_unified.c, I have seen that there is code to log to one unified file, where each record has the alert information and the packet(s) that causes it. Looking futher in the code I have seen the option: output unified That I think that can be the option for that unified logging, but output unified: $SNORTDIR/log/snort.unified.log give me an error: ERROR: UnifiedInitLogFile(/var/log/snort/snort-unified.1175177880): No such file or directory Fatal Error, Quitting.. It's like the $SNORTDIR isn't defined, snort insits in create the snort log file in /var/log/snort. Is this the correct behaviur of snort or it's a bug?. If I put a absolute path doesn't work also (i.e, output unified: /tmp/snort.log) ERROR: UnifiedInitLogFile(/var/log/snort/snort-unified.1175178254): No such file or directory Fatal Error, Quitting.. If I create the /var/log/snort, then the option works as expected (The header of the file created has the correct magic number) Thanks in advance Carlos ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys-and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys-and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Unifed login plugin Carlos Terrón (Mar 29)
- Re: Unifed login plugin Patrik Israelsson (Mar 29)
- Re: Unifed login plugin Carlos Terrón (Mar 29)
- Re: Unifed login plugin Patrik Israelsson (Mar 29)