[Snort-users] snort logging, maybe newbie and stupid

Federico Lombardo egopfe at ...125...
Wed Aug 28 01:39:05 EDT 2002


Hi all, I've some question about how snort logging work.

I've these entries into my snort.conf:

preprocessor http_decode: 80 443 3128 8080 -unicode -cginull
preprocessor frag2: 16777216, 30
preprocessor stream4: 16777216, 40, detect_state_problem
preprocessor stream4_reassemble: serveronly 21 23 25 53 80 110 111 143 443
513 1433 2138 2255 5631 8080
preprocessor rpc_decode: 111
preprocessor bo: -nobrute
preprocessor arpspoof


And these for logging:

ruletype redalert
{
type alert
output database: log, mysql, user=snort dbname=snort_alert host=192.168.0.2
password=***** sensor_name=name detail=full
}
ruletype archive
{
type log
output database: log, mysql, user=snort dbname=snort_log host=192.168.0.2
password=***** sensor_name=name detail=full
}


Ok, all work correctly, all alerts are logged into the db.....
My question is... WHY some alerts... such ad stram4 frag2 and other
preprocessor are logged into a normal file (/var/log/snort/alerts) instead
of db?
Is my configuration error or are only loggable into file??

Thank in advance,

Federico





More information about the Snort-users mailing list