[Snort-users] logging output
roeland at ...1415...
Thu May 17 04:22:55 EDT 2001
I have this ruletype in my snort.conf:
output alert_syslog: LOG_AUTH LOG_ALERT
output database: log, mysql, user=snorter dbname=snortscandb
I use it to log scan alerts (like ping, etc.) to another database than
regular alerts (like exploits)
This is to reduce one big database, to two databases.
This works, a rule which begins with alert logs to another database then
a rule starting with scanalert, e.g:
scanalert ICMP $EXTERNAL any -> $INTERNAL any
(msg: "IDS158/Ping ISS Pinger"; itype: 8; content: "ISSPNGRQ"; depth:
alert TCP $EXTERNAL any -> $INTERNAL 25
(msg: "IDS119/smtp-exploit555"; flags: A+; content: "mail
This output am I using for Acid
I also log to a logfile that I'm using for snortsnarf or other
'logscanners' like ewatch.
I also want to split this logfile to 2 logfile, one for scanalerts and
the other one for normal alert.
Can somebody tell me how to do this?
I am not very familiar with alert_syslog options:
Maybe this is something for in the documentation? Because I really dunno
what I can do with all those LOG_xxx names.
I really appreciate it for helping me,
More information about the Snort-users