[Snort-users] snort & logging

John Sage jsage at ...2022...
Mon Jun 11 15:41:16 EDT 2001


Logging and alerts are two different animals.

At least in a rules file (this is my tcp-local-lib..) you can do this:

alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"TCP to 25 smtp";)
log tcp $EXTERNAL_NET 25 -> $HOME_NET any (msg:"TCP from 25 smtp";)
# alert to, log from

(Actually I don't thing the (msg: ... ) does anything in the log line...

So tcp coming in to *my* port 25 generates an alert, but I'm just 
logging everything that's *from* port 25


- John

Sven Olensky wrote:

> I know, I know I bet a million people have encountered this before, but 
> I have to ask it, since I am just plainly clueless about how to go about 
> this:
> how exactly do I switch snort to logging into the alerts file rather 
> than the log file.. can you guys give me the complete line I have to 
> insert into snort.conf for that, please? I cant figure it out.
> preprocessor output..... and what then?
> thanks!
> please cc sol at ...2229..., since I am not a regular subscriber.

John Sage
FinchHaven, Vashon Island, WA, USA
mailto:jsage at ...2022...
"The web is so, like, five minutes ago..."

