FW: [Snort-users] snort & logging

Sven Olensky sol at ...2229...
Wed Jun 13 19:50:39 EDT 2001


I actually did, thanks for the hint, but its not working still.

ps auxww:
/usr/local/snort/snort -dvs -c /usr/local/snort/etc/snort.conf -A fast -i
eth0 -l /usr/local/snort/log/

snort.conf:

[..snip..]
preprocessor defrag
preprocessor http_decode: 80 8080
preprocessor portscan: $INTERNAL 4 3 /usr/local/snort/log/portscan.log
preprocessor portscan-ignorehosts: $DNS_SERVERS
[..snip..]
include /usr/local/snort/etc/snort.rules

snort.rules being the concatenation of all the rules files.

syslog:
e.g.
Jun 13 19:26:19 XXX snort[2683]: IDS255/ddos-shaft-handler-to-agent:
192.168.74.50:1024 -> 192.168.74.41:187

but this never gets written into an "alert" file. However, directories with
the source / attacker IP address is created, the info stored in a file in
that ip-address/ - directory. Just the alert file is missing.


hence, please advise. rwx permissions are cool, too btw.

> -----Original Message-----
> From: Brian Caswell [mailto:bmc at ...312...]
> Sent: Wednesday, June 13, 2001 5:19 PM
> To: Sven Olensky
> Cc: snort-users at lists.sourceforge.net
> Subject: Re: FW: [Snort-users] snort & logging
> 
> 
> > Sven Olensky wrote:
> > 
> > please advise.
> 
> Please read README.
> 
> -- 
> Brian Caswell
> The MITRE Corporation
> 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20010613/32ddae3c/attachment.html>


More information about the Snort-users mailing list