[Snort-users] loging

Greg Sarsons gsarsons at ...530...
Sat Sep 15 21:05:02 EDT 2001

What I'm trying to do ......

I'm wanting to do some traffic analysis of a network so I can see what
is going on.  So I've put together a box that is running
snort,mysql,acid etc.  But my problem is this.

I want to collect all the traffic.  So I've got the rules to log_tcpdump
with "ouput log_tcpdump: snort.log" and I've also sending to a mysql db
with "output database: log, mysql, ...."

This is started from snortd with the options 

/snort -u snort -g snort -d -D \
-c /etc/snort/snort.conf

I don't see any warnings in /var/log/messages about the command line
overriding a rule.

So I have a couple of questions.  The first is what do I do to log all
the traffic ie pop request, traceroute etc?  Next what is the big
difference with "output database: log ..." and "output database: alert

Would I be better off using the unified binary format?

Any suggestions would be appreciated?


More information about the Snort-users mailing list