gsarsons at ...530...
Sat Sep 15 21:05:02 EDT 2001
What I'm trying to do ......
I'm wanting to do some traffic analysis of a network so I can see what
is going on. So I've put together a box that is running
snort,mysql,acid etc. But my problem is this.
I want to collect all the traffic. So I've got the rules to log_tcpdump
with "ouput log_tcpdump: snort.log" and I've also sending to a mysql db
with "output database: log, mysql, ...."
This is started from snortd with the options
/snort -u snort -g snort -d -D \
I don't see any warnings in /var/log/messages about the command line
overriding a rule.
So I have a couple of questions. The first is what do I do to log all
the traffic ie pop request, traceroute etc? Next what is the big
difference with "output database: log ..." and "output database: alert
Would I be better off using the unified binary format?
Any suggestions would be appreciated?
More information about the Snort-users