[Snort-users] log

Saragoth nntk saragoth at ...131...
Wed May 16 02:52:15 EDT 2001


Actually that made no diference, with our without it I
still get entries about portscan in syslog. 

Think I didn't say what version I am running, its 1.7.

Anyone else that has any idea whats wrong

Regards Sg


--- Jason Lewis <jlewis at ...1831...> wrote:
> You can't use the -l on the command line AND define
> it in snort.conf.
> 
> Remove "-l /var/log/snort" from your command line.
> 
> Jason Lewis
> http://www.packetnexus.com
> "All you can do is manage the risks. There is no
> security."
> 
> 
> -----Original Message-----
> From: snort-users-admin at lists.sourceforge.net
> [mailto:snort-users-admin at lists.sourceforge.net]On
> Behalf Of Saragoth
> nntk
> Sent: Tuesday, May 15, 2001 10:53 AM
> To: snort-users at lists.sourceforge.net
> Subject: [Snort-users] log
> 
> 
> I have defined this in snort.conf
> 
> output alert_full: filename
> output alert_fast: filename
> output log_tcpdump: filename
> 
> I start snort with:
> /usr/local/bin/snort -D -c /etc/snort.conf -i eth1
> -l
> /var/log/snort
> 
> 
> It logs to the 3 specified files, but i am still
> getting this in syslog:
> 
> May 15 08:46:22 hostname snort: LOG: spp_portscan:
> PORTSCAN DETECTED from xxx.xxx.xxx.xxx (THRESHOLD 4
> connections exceeded in 3 seconds) 
> May 15 08:46:26 hostname snort: LOG: spp_portscan:
> portscan status from xxx.xxx.xxx.xxx: 10 connections
> across 4 hosts: TCP(0), UDP(10) 
> May 15 08:46:33 hostname snort: LOG: spp_portscan:
> portscan status from xxx.xxx.xxx.xxx: 4 connections
> across 2 hosts: TCP(0), UDP(4) 
> May 15 08:46:40 hostname snort: LOG: spp_portscan:
> End
> of portscan from xxx.xxx.xxx.xxx: TOTAL time(7s)
> hosts(5) TCP(0) UDP(14) 
> 
> Any idea how i stop that logging into syslog ?
> 
> Regards Sg
> 
> __________________________________________________
> Do You Yahoo!?
> Yahoo! Auctions - buy the things you want at great
> prices
> http://auctions.yahoo.com/
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or
> unsubscribe:
>
http://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
>
http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or
> unsubscribe:
>
http://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
>
http://www.geocrawler.com/redir-sf.php3?list=snort-users


__________________________________________________
Do You Yahoo!?
Yahoo! Auctions - Buy the things you want at great prices.
http://auctions.yahoo.com/




More information about the Snort-users mailing list