[Snort-sigs] problem with double logging

Marco Agostani m.agostani at ...1537...
Tue May 27 07:21:02 EDT 2003


Hi there,

I' ve a problem with snort 2.0 using the default output plugin.
If a wrote down a rule like this

log tcp $NET -> .....etc.

my packet being logged double, if the rule say alert I catch only one log.

my snort.conf is

var HOME_NET any
var EXTERNAL_NET any
var HTTP_PORTS 80
var RULE_PATH /etc/snort
preprocessor frag2
preprocessor stream4: detect_scans, disable_evasion_alerts
preprocessor stream4_reassemble
preprocessor http_decode: 80 unicode iis_alt_unicode double_encode 
iis_flip_slash full_whitespace
preprocessor rpc_decode: 111 32771
preprocessor bo
preprocessor telnet_decode
include classification.config
include reference.config

I fire up snort with /usr/local/bin/snort -i eth0 -c /etc/snort/snort.conf -l 
/var/log/snort


regards
Marco Agostani






More information about the Snort-sigs mailing list