[Snort-users] logging output

Roeland Weve roeland at ...1415...
Thu May 17 04:22:55 EDT 2001


Hello,

I have this ruletype in my snort.conf:
ruletype scanalert
{
   type alert
   output alert_syslog: LOG_AUTH LOG_ALERT
   output database: log, mysql, user=snorter dbname=snortscandb
host=localhost password=xxxx
}
I use it to log scan alerts (like ping, etc.) to another database than
regular alerts (like exploits)
This is to reduce one big database, to two databases.
This works, a rule which begins with alert logs to another database then
a rule starting with scanalert, e.g:
scanalert ICMP $EXTERNAL any -> $INTERNAL any 
	(msg: "IDS158/Ping ISS Pinger"; itype: 8; content: "ISSPNGRQ"; depth:
32;)
alert TCP $EXTERNAL any -> $INTERNAL 25 
	(msg: "IDS119/smtp-exploit555"; flags: A+; content: "mail
from|3a20227c|";)

This output am I using for Acid

I also log to a logfile that I'm using for snortsnarf or other
'logscanners' like ewatch.
I also want to split this logfile to 2 logfile, one for scanalerts and
the other one for normal alert.
Can somebody tell me how to do this?

I am not very familiar with alert_syslog options:
Maybe this is something for in the documentation? Because I really dunno
what I can do with all those LOG_xxx names.

I really appreciate it for helping me,

Roeland

------------------------
Options 
    LOG_CONS 
    LOG_NDELAY 
    LOG_PERROR 
    LOG_PID 
Facilities 
    LOG_AUTH 
    LOG_AUTHPRIV 
    LOG_DAEMON 
    LOG_LOCAL0 
    LOG_LOCAL1 
    LOG_LOCAL2 
    LOG_LOCAL3 
    LOG_LOCAL4 
    LOG_LOCAL5 
    LOG_LOCAL6 
    LOG_LOCAL7 
    LOG_USER 
Priorities 
    LOG_EMERG 
    LOG_ALERT 
    LOG_CRIT 
    LOG_ERR 
    LOG_WARNING 
    LOG_NOTICE 
    LOG_INFO 
    LOG_DEBUG




More information about the Snort-users mailing list