[Snort-users] Stupid question, as in I ought to know the answer to

Phil Wood cpw at ...440...
Tue Jun 25 11:30:05 EDT 2002


Well, I mis-spoke it turned out.  I took a closer look, and the type "log"
really did not work.  So, for now I write alerts to /dev/null and the red
alerts do go to syslog and I get everything in the binarylogfile.  
What I'm trying to do is cut down on the cpu devoted to unnessary stuff.
Any ideas on the right way to do this?

The only thing that works for me at this point is:

      output alert_fast: /dev/null  <<<< I don't want to see all the alerts
      output log_tcpdump: /some/full/path/to/binarylogfile
      ruletype redalert
      {
        type alert <<<<<  I just want the redalert's to show up immediately
        output alert_syslog: LOG_LOCAL5 LOG_DEBUG LOG_PERROR
      }

I post processes the binary file for the regular alerts at a later time.  

On Tue, Jun 25, 2002 at 10:35:09AM -0600, Phil Wood wrote:
> 
> Here is what I want to do:
> 
>   1. log alerts to binary file
>   2. log "redalerts" to syslog
>   3. DO NOT create an alert file (fast or full)
>   
> Here is what I did to get that to happen:
> 
>   1. put the following in my config file:
> 
>      output log_tcpdump: /some/full/path/to/binarylogfile
> 
>      ruletype redalert
>      {
>        type log  <<<--- notice not alert
>        output alert_syslog: LOG_LOCAL5 LOG_DEBUG LOG_PERROR
>      }
> 
>   2. start snort with the -A none option
> 
> This causes a WARNING:
> 
> WARNING: command line overrides rules file alert plugin!
> 
> However, I get the desired result, namely no alert file (fast or full format),
> and syslogs for the few redalerts I want to know about instantly.
> 
> So, what could I do otherwise to get the desired result, and avoid the
> WARNING?
> 
> Thanks,
> 
> Phil
> 
> 
> -------------------------------------------------------
> This sf.net email is sponsored by: Jabber Inc.
> Don't miss the IM event of the season | Special offer for OSDN members! 
> JabConf 2002, Aug. 20-22, Keystone, CO http://www.jabberconf.com/osdn
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

-- 
Phil Wood, cpw at ...440...





More information about the Snort-users mailing list