[Snort-users] snort-1.8.7 and alert file
scheidell at ...5171...
Fri Aug 2 07:58:03 EDT 2002
""Andrew R. Baker"" <andrewb at ...950...> wrote in message
news:3D46B227.4010205 at ...6514...
> get rid of the log_null and the "-N" on the commandline. Instead add
> "-A none" to your commandline to turn off the alerting. The unified log
> file will contain the alert data *and* the packet logs.
I have attempted, on many versions of both snort and barnyard to have one
copy of snort and barnyard do both the log and alert files.
I have ended up needing one copy of snort (which outputs TWO unified files)
and two copies of barnyard with two different config files.
What I would want to do is to have snort create a unified file with both log
and alerts in it.
Seems to be able to do that (i think) but I don't know how to verity that
this file has logs AND alerts in it.
/usr/local/bin/snort -doDI -m 022 -z \
-c /usr/local/etc/snort.conf -i rl0 -A none
(using -l /var/log/snort instead of -A none only creats a 'alerts' file from
snort, not barnyard)
snort.conf: (its all in /var/log/snort/log.* right?)
#output alert_unified: filename /var/log/snort/alert, limit 128
output log_unified: filename /var/log/snort/log, limit 128
-rw-r--r-- 1 root wheel 1386 Aug 2 10:37 log.1028298969
seems to process the 'log.*' file and log plugins fine, but not the alert
Loading Data Processors...
Loading Built-in Output Plugins...
Fast Alert plugin initialized
Log Dump plugin initialized
AcidDb output plugin initialized
config interface: LAN
config filter: not localhost
output alert_fast: /var/log/snort/fast.alert
output alert_csv: /var/log/snort/fast.csv protoname,timestamp,srcip,sport
output log_acid_db: mysql, sensor_id 1, database snort,
Neither the fast.alert file, nor the csv file are updated.
not when run in daemon mode, nor one shot:
-rw-r--r-- 1 root security 1386 Aug 2 10:37 log.1028298969
drwxr-xr-x 2 root security 1024 Aug 2 10:37 archive
-rw-r--r-- 1 root security 2333429 Aug 1 00:44 fast.alert
Aug 2 10:44:47 scanner barnyard: Args: mysql, sensor_id 1, database snort,
server localhost, user root, detail full
Aug 2 10:44:47 scanner barnyard: Initializing daemon mode
Aug 2 10:44:47 scanner barnyard: Barnyard Version 0.1.0-rc2 (Build 11)
Aug 2 10:44:47 scanner barnyard: AcidDbOpStart
Aug 2 10:44:47 scanner barnyard: OpAcidDB configuration details
Aug 2 10:44:47 scanner barnyard: Database Flavour: mysql
Aug 2 10:44:47 scanner barnyard: Detail Level: Full
Aug 2 10:44:47 scanner barnyard: Database Server: localhost
Aug 2 10:44:47 scanner barnyard: Database User: root
Aug 2 10:44:47 scanner barnyard: SensorID: 1
Aug 2 10:44:47 scanner barnyard: AcidDbOpStart Complete
Aug 2 10:44:47 scanner barnyard: Number of records: 2
Aug 2 10:44:47 scanner barnyard: Exiting
Aug 2 10:44:47 scanner barnyard: AcidDbOpStop
More information about the Snort-users