Snort mailing list archives
Re: Need help 'log to' option of the snort rule
From: Alex Tatistcheff <alex.tatistcheff () gmail com>
Date: Fri, 26 Mar 2010 08:30:22 -0600
I am also interested in any info on this. Last time I tried to use the logto keyword it didn't work for me either. Seems like it might have been removed yet is still in the docs? Either that or we're just missing some key setting. Alex Tatistcheff alext () pobox com The most terrifying words in the English language are, "I'm from the government and I'm here to help." -Ronald Reagan On Fri, Mar 26, 2010 at 7:48 AM, manjushree ks <manjushree.ks () hotmail com>wrote:
Hi again, Sorry, A small correction in the rule, It would be, alert tcp any any -> any any (msg:"Policy Violation : YOUTUBE is visited via a different site"; content:"youtube.com"; threshold: type both, track by_src,count 1, seconds 120;\ logto:"/etc/snort/youtubeviolation.log1"; classtype:policy-violation;sid:7000002;) Regards, Manju ------------------------------ From: manjushree.ks () hotmail com To: snort-sigs () lists sourceforge net Date: Fri, 26 Mar 2010 19:02:00 +0530 Subject: [Snort-sigs] Need help 'log to' option of the snort rule Hi, This is Manju writing in to request any suggestions on the below snort rule, I have a rule here which would be required to create a log file inorder to log in any of the alerts detected due to the visit of ' youtube .com' site . But unfortunately its not creating any of the file named youtubeviolation1.log in the specified directory. Could anybody throw some light on this? below is the rule, alert tcp any any -> any any (msg:"Policy Violation : YOUTUBE is visited via a different site"; content:"youtube.com"; threshold: type both, track by_src,count 1, seconds 120;\ logto:"/etc/snort/youtubeviolation.log"; classtype:policy-violation;sid:7000002;) Thanks! Manju ------------------------------------------------------------------------------ Download IntelĀ® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs
------------------------------------------------------------------------------ Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs
Current thread:
- Need help 'log to' option of the snort rule manjushree ks (Mar 26)
- Re: Need help 'log to' option of the snort rule manjushree ks (Mar 26)
- Re: Need help 'log to' option of the snort rule L0rd Ch0de1m0rt (Mar 26)
- Re: Need help 'log to' option of the snort rule manjushree ks (Mar 26)
- Re: Need help 'log to' option of the snort rule L0rd Ch0de1m0rt (Mar 26)
- Re: Need help 'log to' option of the snort rule L0rd Ch0de1m0rt (Mar 26)
- Re: Need help 'log to' option of the snort rule Alex Tatistcheff (Mar 26)
- Re: Need help 'log to' option of the snort rule manjushree ks (Mar 26)