[Snort-users] db logging

roman at ...438... roman at ...438...
Mon Oct 29 18:39:02 EST 2001

> All I really want is to look at the data in the dbase and am not too
> concerned about looking for intrusion detection.  So other than the 
> logging rules I can just disable the rules right?

Disable all pre-preprocessors and use a set of rules like:

log tcp any any -> any any (msg: "TCP";)
log udp any any -> any any (msg: "UDP";)
log icmp any any -> any any (msg: "ICMP";)

> Which database scheme is in the latest daily snapshot?  Should have
> looked while I was at home!

v104 is in the latest snapshot.

> This is going to take a while to put into the database isn't it?  The
> file is 19Gig in size.

It will definitly take "a while".     


This message was sent using Voicenet WebMail.

More information about the Snort-users mailing list