[Snort-users] snort & logging
jsage at ...2022...
Mon Jun 11 15:41:16 EDT 2001
Logging and alerts are two different animals.
At least in a rules file (this is my tcp-local-lib..) you can do this:
alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"TCP to 25 smtp";)
log tcp $EXTERNAL_NET 25 -> $HOME_NET any (msg:"TCP from 25 smtp";)
# alert to, log from
(Actually I don't thing the (msg: ... ) does anything in the log line...
So tcp coming in to *my* port 25 generates an alert, but I'm just
logging everything that's *from* port 25
Sven Olensky wrote:
> I know, I know I bet a million people have encountered this before, but
> I have to ask it, since I am just plainly clueless about how to go about
> how exactly do I switch snort to logging into the alerts file rather
> than the log file.. can you guys give me the complete line I have to
> insert into snort.conf for that, please? I cant figure it out.
> preprocessor output..... and what then?
> please cc sol at ...2229..., since I am not a regular subscriber.
FinchHaven, Vashon Island, WA, USA
mailto:jsage at ...2022...
"The web is so, like, five minutes ago..."
More information about the Snort-users