[Snort-devel] snort_sysconfig and snort.conf (UNCLASSIFIED)

Wright, Jonathon S CTR (US) jonathon.s.wright.ctr at ...3464...
Tue Jan 7 20:40:04 EST 2014


Classification: UNCLASSIFIED
Caveats: NONE

Hey List, 

While configuring snort on RHEL 6.5, I noticed that the rpm came with
"snort_sysconfig" file that later I placed in the /etc/sysconfig directory.
One of the options in the snort_sysconfig file is ALERTMODE, per the file
notes it states this:

# How should Snort alert? Valid alert modes include fast, full, none, and
# unsock.  Fast writes alerts to the default "alert" file in a single-line,
# syslog style alert message.  Full writes the alert to the "alert" file
# with the full decoded header as well as the alert message.  None turns off
# alerting. Unsock is an experimental mode that sends the alert information
# out over a UNIX socket to another process that attaches to that socket.
# -A {alert-mode}
# output alert_{type}: {options}
ALERTMODE=fast


I set it to "fast" for now, because that is what I want, but I also want to
be able to capture the "full". 
Example, in my snort.conf I have this for the output plugins:

output unified2: filename /var/data/snort/unified2.log, limit 80
output alert_full: /var/data/snort/snort.alert

The purpose of the second is for troubleshooting and a backup of the alert
that comes in human readable form. 

To achieve that, is the snort.conf plugin entry sufficient? If not, what do
I put in the snort_sysconfig file?
Or does the ALERTMODE override the snort.conf output plugins?

I'm about to head out, but will check this in morning in case replies come
back quickly. 

Thanks!

JW

Classification: UNCLASSIFIED
Caveats: NONE


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5649 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20140108/edaeec46/attachment.bin>


More information about the Snort-devel mailing list