[Snort-users] RE: Alert OR syslog?
erek at ...577...
Fri Dec 6 14:12:10 EST 2002
On Fri, 6 Dec 2002, L. Christopher Luther wrote:
> Snort's command line directives sometimes do "strange" (my opinion only)
> things, so it is possible that by specifying two alert facilities on the
> command line, one is taking precedence over the other.
The basica assumption is that since you've put something on the command
line, it should be what you want 'right now'. Anything listed on the
command line will _override_ whatever you have in the .conf file.
> Instead, I use output directives in the snort.conf file to specify multiple
> log and/or alert facilities. Have you tried placing the following in your
> output alert_full: alert.ids
> alert_syslog: LOG_AUTH LOG_ALERT
> And removing the "-A fast" and "-s" command line options? This will alert
> first to the ASCII file alert.ids, then to the syslog facility.
Right. Perfect way to do it.
One other thing you can do is to define a 'custom rule type' that includes
both syslog and full alerts.
Side note: Why don't you log to binary, re-run the binary pcaps thru
snort and have it generate the text files (maybe even syslog stuff) at a
later time. Only wanting the syslog output for watching/tailing would
stop you from doing that...
More information about the Snort-users