[Snort-devel] snort_sysconfig and snort.conf (UNCLASSIFIED)

Wright, Jonathon S CTR (US) jonathon.s.wright.ctr at ...3464...
Tue Jan 7 20:40:04 EST 2014

Classification: UNCLASSIFIED
Caveats: NONE

Hey List, 

While configuring snort on RHEL 6.5, I noticed that the rpm came with
"snort_sysconfig" file that later I placed in the /etc/sysconfig directory.
One of the options in the snort_sysconfig file is ALERTMODE, per the file
notes it states this:

# How should Snort alert? Valid alert modes include fast, full, none, and
# unsock.  Fast writes alerts to the default "alert" file in a single-line,
# syslog style alert message.  Full writes the alert to the "alert" file
# with the full decoded header as well as the alert message.  None turns off
# alerting. Unsock is an experimental mode that sends the alert information
# out over a UNIX socket to another process that attaches to that socket.
# -A {alert-mode}
# output alert_{type}: {options}

I set it to "fast" for now, because that is what I want, but I also want to
be able to capture the "full". 
Example, in my snort.conf I have this for the output plugins:

output unified2: filename /var/data/snort/unified2.log, limit 80
output alert_full: /var/data/snort/snort.alert

The purpose of the second is for troubleshooting and a backup of the alert
that comes in human readable form. 

To achieve that, is the snort.conf plugin entry sufficient? If not, what do
I put in the snort_sysconfig file?
Or does the ALERTMODE override the snort.conf output plugins?

I'm about to head out, but will check this in morning in case replies come
back quickly. 



Classification: UNCLASSIFIED
Caveats: NONE

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5649 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20140108/edaeec46/attachment.bin>

More information about the Snort-devel mailing list