FW: [Snort-users] snort & logging

Sven Olensky sol at ...2229...
Wed Jun 13 16:38:36 EDT 2001


please advise.

thanks.

> -----Original Message-----
> From: Sven Olensky 
> Sent: Monday, June 11, 2001 4:06 PM
> To: 'John Sage'
> Cc: snort-users at lists.sourceforge.net
> Subject: RE: [Snort-users] snort & logging
> 
> 
> how if I would like to redirect the output file written to 
> the "log" file to the "alerts" file? I cannot find a setting anywhere.
> 
> thanks!
> 
> > -----Original Message-----
> > From: John Sage [mailto:jsage at ...2022...]
> > Sent: Monday, June 11, 2001 3:41 PM
> > To: Sven Olensky
> > Cc: snort-users at lists.sourceforge.net
> > Subject: Re: [Snort-users] snort & logging
> > 
> > 
> > Sven:
> > 
> > Logging and alerts are two different animals.
> > 
> > At least in a rules file (this is my tcp-local-lib..) you 
> can do this:
> > 
> > #
> > alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"TCP to 25 smtp";)
> > #
> > log tcp $EXTERNAL_NET 25 -> $HOME_NET any (msg:"TCP from 25 smtp";)
> > # alert to, log from
> > 
> > (Actually I don't thing the (msg: ... ) does anything in the 
> > log line...
> > 
> > So tcp coming in to *my* port 25 generates an alert, but I'm just 
> > logging everything that's *from* port 25
> > 
> > HTH..
> > 
> > - John
> > 
> > Sven Olensky wrote:
> > 
> > > I know, I know I bet a million people have encountered this 
> > before, but 
> > > I have to ask it, since I am just plainly clueless about 
> > how to go about 
> > > this:
> > > 
> > > how exactly do I switch snort to logging into the alerts 
> > file rather 
> > > than the log file.. can you guys give me the complete line 
> > I have to 
> > > insert into snort.conf for that, please? I cant figure it out.
> > > 
> > > preprocessor output..... and what then?
> > > 
> > > thanks!
> > > 
> > > please cc sol at ...2229..., since I am not a regular subscriber.
> > > 
> > 
> > 
> > -- 
> > John Sage
> > FinchHaven, Vashon Island, WA, USA
> > http://www.finchhaven.com/
> > mailto:jsage at ...2022...
> > "The web is so, like, five minutes ago..."
> > 
> 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20010613/ad63a07b/attachment.html>


More information about the Snort-users mailing list