Re: SNORT3 - Alerts logging

[Russ via Snort-users <snort-users () lists snort org>]

The alert_full options are:

    $ snort --help-config alert_full
    bool alert_full.file = false: output to alert_full.txt instead of 
stdout
    int alert_full.limit = 0: set maximum size in MB before rollover (0 
is unlimited) { 0: }

The path and units you are trying to configure won't work.  Look in the 
manual under 4.7 Usage / Output Files for options and examples for log 
files.

It looks like you want this in your conf:

    alert_full = { file = true, limit = 1000000000 }

and -l /var/log on your command line.

Hope that helps.
Russ

On 10/6/18 4:05 AM, ZdenekChladek_cyber wrote:
> Hello,
> I'm studying from the manual how to log alerts:
> http://manual-snort-org.s3-website-us-east-1.amazonaws.com/node21.html#SECTION00363000000000000000 
>
>
> Passage from the manual:
> ******
> 2.6.3 alert_full
> This will print Snort alert messages with full packet headers. The 
> alerts will be written in the default logging directory 
> (/var/log/snort) or in the logging directory specified at the command 
> line.
> ******
>
> In my configuration I have tried:
> alert_full = {file = true, limit = 1, units = G }
> but the log is stored into /home directory in txt format.
>
>
> I tried to pass as the parameter 'filename' path in many variation but 
> any from them doesn't work:
>
> alert_full = {/var/log/, limit = 1, units = G }
> FATAL: can't load /usr/local/snort/etc/snort/snort.lua: 
> /usr/local/snort/etc/snort/snort.lua:338: unexpected symbol near '/'
>
> alert_full = {'/var/log/', limit = 1, units = G }
> ERROR: can't find alert_full
>
> alert_full = {'/var/log/alert.full', limit = 1, units = G }
> ERROR: can't find alert_full
>
> alert_full = {alert.full, limit = 1 , units = M }
> FATAL: can't init /usr/local/snort/etc/snort/snort.lua: 
> /usr/local/snort/etc/snort/snort.lua:338: attempt to index global 
> 'alert' (a nil value)
> Fatal Error, Quitting..
>
>
> What seems to be different against Snort 2.x are the parameters inside 
> {}.
> Exist some documentation from where I can get enough information for 
> Snort3?
>
> Thank You
> ZAJDAN
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists snort org
> Go to this URL to change user options or unsubscribe:
> https://lists.snort.org/mailman/listinfo/snort-users
>
>     To unsubscribe, send an email to:
>     snort-users-leave () lists snort org
>
> Please visit http://blog.snort.org to stay current on all the latest 
> Snort news!
>
> Please follow these rules: 
> https://snort.org/faq/what-is-the-mailing-list-etiquette

_______________________________________________
Snort-users mailing list
Snort-users () lists snort org
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users

        To unsubscribe, send an email to:
        snort-users-leave () lists snort org

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette