[Snort-users] Newbie questions: logs

John Sage jsage at ...2022...
Mon Jun 11 10:24:58 EDT 2001


ayse:

ayse at ...2206... wrote:

> 
> Warm greetings to all.
> 
> I have just installed snort on one of our boxes (yey)
> and am very confused about all the logs.
> In the snort directory - I have a


These should all be written-to by different circumstances, depending ;-)

> 	log


gets results from something like this in a rules file:

log tcp any any <> $HOME_NET any (msg: "Log: TCP packet";)


> 	alert


gets results from something like this in a rules file:

alert tcp 192.168.0.0/16 any -> $HOME_NET any (msg: "Alert: tcp from 192 
private block";)

> 	portscan.log


gets results from this in snort.conf:

# portscan: detect a variety of portscans
# ---------------------------------------
preprocessor portscan: $HOME_NET 4 3 /var/log/snort/portscan.log


HTH..

- John

-- 
John Sage
FinchHaven, Vashon Island, WA, USA
http://www.finchhaven.com/
mailto:jsage at ...2022...
"The web is so, like, five minutes ago..."



> The above log files look v. similar in content. Can someone tell me
> why the need for 3 outputs or point me to a doco that may enlighten me.
> I have only enabled/played with the scan.rules options so far.
> 
> Many thanks in advance
> ayse






More information about the Snort-users mailing list