[Snort-users] Alert OR syslog?

Don Don at ...5881...
Thu Dec 5 13:24:03 EST 2002


RE: [Snort-users] Alert OR syslog?my apologies, this would be referring to
win32 port of versions 1.8.6 and earlier of snort

don

  -----Original Message-----
  From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net]On Behalf Of Don
  Sent: Thursday, December 05, 2002 11:37 AM
  To: snort-users at lists.sourceforge.net
  Subject: RE: [Snort-users] Alert OR syslog?


  umm, with -s you need to put in the syslog server address, so would become
  /usr/local/bin/snort -c /etc/snort/snort.conf -I -A full -s blame_cmg -i
rl0
  would become
  /usr/local/bin/snort -c /etc/snort/snort.conf -I -A full -s
192.168.0.2:514 -i rl0

  or you would put your syslog server IP addy there with the listening tcp
port number, works for me. for some reason its always required me to put in
the port number,

  Don

    -----Original Message-----
    From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net]On Behalf Of Weiss, Jeffrey
H.
    Sent: Thursday, December 05, 2002 9:57 AM
    To: 'Alberto Gonzalez'
    Cc: snort-users at lists.sourceforge.net
    Subject: RE: [Snort-users] Alert OR syslog?


    Hi, Alberto,
    Thanks for your response.
    Reasons for 3 types of logging (may not be good reasons):
    1. Binary format allows analysis tools be leveraged (snortsnarf).
    2. Alert log provides local easily perused/tailed indicator of nasties
and falsies.
    3. Syslog entries can be directed off-server to a remote central logging
server.
    I could work without the alert log but don't understand why enabling
syslog disables it.

    Not sure I understand your blame_cmg...new flag?
    Thanks,
    Jeffrey

    -----Original Message-----
    From: Alberto Gonzalez [mailto:albertg at ...7149...]
    Sent: Thursday, December 05, 2002 2:00 PM
    Cc: snort-users at lists.sourceforge.net
    Subject: Re: [Snort-users] Alert OR syslog?



    In your command line, your doing binary logging (-b), full logging (-A
    full) and syslog (-s).
    I haven't tried todo both syslog and FULL (waste of time?).

    When I run it with the following command snort seems to run fine:

    /usr/local/bin/snort -c /etc/snort/snort.conf -I -A full -s blame_cmg -i
rl0

    So give that a try, im not sure why someone wants 3 logging mechanisms,
    but hey!

    Cheers!

       - Alberto

    (sorry cmg for the syslog part :-)) <grin>



    Weiss, Jeffrey H. wrote:

    > I am wondering why I cannot get both an alert log written AND
    > syslogging to occur.
    >
    > My command line invocation:
    > snort -b -c /usr/local/etc/snort/snort.conf -I -A full -l
    > /logs/UA/snort -s -i qfe0
    >
    > Pertinent snort.conf(?):
    > output alert_syslog: LOG_ALERT
    >
    > Is there something too obvious here?
    > Thanks!
    > Jeffrey Weiss
    >

    --
    The secret to success is to start from scratch and keep on scratching.





    -------------------------------------------------------
    This sf.net email is sponsored by:ThinkGeek
    Welcome to geek heaven.
    http://thinkgeek.com/sf
    _______________________________________________
    Snort-users mailing list
    Snort-users at lists.sourceforge.net
    Go to this URL to change user options or unsubscribe:
    https://lists.sourceforge.net/lists/listinfo/snort-users
    Snort-users list archive:
    http://www.geocrawler.com/redir-sf.php3?list=snort-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20021205/7d685966/attachment.html>


More information about the Snort-users mailing list