Snort mailing list archives

Previous By Date Next
Previous By Thread Next

snort_sysconfig and snort.conf (UNCLASSIFIED)

From: "Wright, Jonathon S CTR (US)" <jonathon.s.wright.ctr () mail mil>
Date: Wed, 8 Jan 2014 01:40:04 +0000
Classification: UNCLASSIFIED
Caveats: NONE

Hey List, 

While configuring snort on RHEL 6.5, I noticed that the rpm came with
"snort_sysconfig" file that later I placed in the /etc/sysconfig directory.
One of the options in the snort_sysconfig file is ALERTMODE, per the file
notes it states this:

# How should Snort alert? Valid alert modes include fast, full, none, and
# unsock.  Fast writes alerts to the default "alert" file in a single-line,
# syslog style alert message.  Full writes the alert to the "alert" file
# with the full decoded header as well as the alert message.  None turns off
# alerting. Unsock is an experimental mode that sends the alert information
# out over a UNIX socket to another process that attaches to that socket.
# -A {alert-mode}
# output alert_{type}: {options}
ALERTMODE=fast


I set it to "fast" for now, because that is what I want, but I also want to
be able to capture the "full". 
Example, in my snort.conf I have this for the output plugins:

output unified2: filename /var/data/snort/unified2.log, limit 80
output alert_full: /var/data/snort/snort.alert

The purpose of the second is for troubleshooting and a backup of the alert
that comes in human readable form. 

To achieve that, is the snort.conf plugin entry sufficient? If not, what do
I put in the snort_sysconfig file?
Or does the ALERTMODE override the snort.conf output plugins?

I'm about to head out, but will check this in morning in case replies come
back quickly. 

Thanks!

JW

Classification: UNCLASSIFIED
Caveats: NONE

Attachment: smime.p7s
Description: 

------------------------------------------------------------------------------
Rapidly troubleshoot problems before they affect your business. Most IT 
organizations don't have a clear picture of how application performance 
affects their revenue. With AppDynamics, you get 100% visibility into your 
Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro!
http://pubads.g.doubleclick.net/gampad/clk?id=84349831&iu=/4140/ostg.clktrk
_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel
Archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel

Please visit http://blog.snort.org for the latest news about Snort!
Previous By Date Next
Previous By Thread Next

Current thread: