[Snort-users] snort and mysql

Edwin Chiu Edwin.Chiu at ...1378...
Sat Apr 7 00:30:10 EDT 2001


I could never get this ruletype to work:

ruletype susp
{
        type alert
        output alert_full: /var/log/snort/alert.susp
}

The file is created, but nothing ever gets logged into it....

Rule i tested:

susp icmp any any -> any any (msg:"ICMP Echo Request"; itype: 8; icode:0;)

I tried pinging a couple IPs, and nothing gets logged... file remained empty...


Edwin

Martin Roesch wrote:

> Andrew Baker is the expert on this set of functionality, although the
> overlapping namespace problem has been fixed in the latest dev code...
>
>     -Marty
>
> Andreas Hasenack wrote:
> >
> > Em Tue, Apr 03, 2001 at 12:24:15AM -0400, alexus escreveu:
> > > ruletype redalert
> > > {
> > >   type alert
> > >   output alert_syslog: LOG_AUTH LOG_ALERT
> > >   output database: log, mysql, user=user dbname=dbn host=localhost
> > > password=password
> > > }
> > >
> > > i replace dbn,user and password to my own things..
> > > and it wouldn't log there... any ideas why?
> >
> > You have to make your rules use this new ruletype. Try using
> > "redalert" instead of "alert" in some rules and then trigger them.
> >
> > OR, just configure the output database stuff, outside a ruletype definition.
> > Check the included config file for examples. But, AFAIK, you won't be
> > able to syslog and log to a database at the same time if you do this.
> >
> > BTW, I would like to be able to redefine "alert" so that I don't have
> > to change every rule I have to use the new type. Or am I missing something?





More information about the Snort-users mailing list