[Snort-users] RE: Logging without alerting

L. Christopher Luther CLuther at ...6333...
Fri Dec 13 10:27:04 EST 2002


Check out this post, courtesy of Erek Adams
(mailto:erek at ...577...):  

http://www.theadamsfamily.net/~erek/snort/logging_methods.txt

Maybe this will help.  

- Christopher


-----Original Message-----
To: snort-users at lists.sourceforge.net
From: JBFRYE at ...7742...
Date: Thu, 12 Dec 2002 16:00:33 -0600
Subject: [Snort-users] Logging without alerting

My understanding of the output facilities in Snort ( 1.87 ) is that there
are two, logging and alerting. The alerting facility exists to let you know
that something interesting has happened.  The logging facility exists to
log full packet information to the output format (pcap, ascii, database,
etc). The "alert" action is hard coded to do two things, write an event to
the alert facility and log to the output facility.  The "log" action logs
the current packet to the logging facility without generating an alert.
This led me to believe alerting could be turned off  ( -A none ) and I
would still see all the events in the binary log. Comparing an alert file
generated from the binary log ( rerun through Snort same rule set ) to one
generated by Snort on the first pass are not the same ( events are missing
from the binary log that are present in the alert file ). Are my
assumptions on the Snort output facilities incorrect or is this behavior a
bug.

FYI: I'm running four sensors that are logging binary format. The binary is
retrieved from the remote sensors every 30 min. and brought down to a
central Snort which processes the file and inserts the alerts into an
Oracle table.
The Snort startup command on the remote sensors is:
          /usr/local/snort/bin/snort -c /usr/local/snort/rules/snort.conf
-D -i hme1  -A none -u ddsa992 -g dsagrp -b
The Snort command on the Snort master is:
          /usr/local/snort/bin/snort  -c
/usr/local/snort/rules/sensor1.conf -r /opt/log/sensor1/name_of_binary_log


Jayme Frye

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20021213/a1fe96f5/attachment.html>


More information about the Snort-users mailing list