[Snort-users] snort with 2 nics - collecting only UDP data

Tinu Patel tinu.patel at ...4164...
Tue Nov 27 11:35:02 EST 2001

Thanks a lot for the feedback.......i removed the extra any from the
snort.conf file......and I am using log because I am entering data into
a mysql database and using ACID as a front end.  In my snort.conf file
if I do :
log udp any any --> any 
then I can see all the udp traffic, but when I do:
log tcp any any --> any
then it doesn't log any data!!!!...which puzzles me coz it's the exact
same syntax but just a different protocol......
And I do not have a "nolog" derective in my snort.conf.....
-----Original Message-----
From: Matt Kettler [mailto:mkettler at ...4108...] 
Sent: Tuesday, November 27, 2001 1:11 PM
To: Tinu Patel
Subject: Re: [Snort-users] snort with 2 nics - collecting only UDP data
Note that "log" is not the same as "alert".. are you sure you're looking
the right place for your TCP packets? 

Packets matching an alert rule appear both in your alert file
(/var/log/snort/alerts by default) and your log subdirectories. Log
rules only add to the subdirectories, but do not add to the alerts file.

ie: /var/log/snort/ is generated by
(alert rules will also generate these in addition to an entry in alerts)

also, what's the extra 'any' in that rule for? 
> log tcp any any -> x.x.x.x/x any any 

I read this rule as:
log all packets which are: 
  from any source address
  from any source port
  to x.x.x.x/x
  to any destination port
  and some stray extra 'any' that doesn't seem to belong.

Do you have a "nolog" directive in your conf? That will prevent any
logging, but still allow alert generation, which would make your rule do

At 11:17 AM 11/27/2001, you wrote:

log tcp any any -> x.x.x.x/x any any 




-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20011127/2af121f6/attachment.html>

More information about the Snort-users mailing list