[Snort-users] Lost in the config file

John Sage jsage at ...2022...
Wed Jun 26 20:49:04 EDT 2002


On Wed, Jun 26, 2002 at 08:56:31PM -0500, K. A. Steensma wrote:
> This is a very small portion of a old message -
> 
> -s xxx.xxx.xxx.xxx:xxx
> *** This works properly ***
> 
> I (really) have given the user manual and FAQ a 'pretty good' look and 
> can not figure out what the 3 numbers after the colon (:) are for. It 
> seems the I have 'skipped' reading a very necessary doc.

I'm not finding the syntax you've got, above, anywhere in the FAQ,
USAGE, or in man snort.

the FAQ only has -s at:

cat $weeklogs/$dirdate/snort.alert | mail -s "Snort logs" you at ...558...
cat $weeklogs/$dirdate/snort_portscan.log | mail -s "Snort portscan logs" you at ...558...

USAGE only has:

To send alerts to syslog, use the -s switch.  The default facilities for the
syslog alerting mechanism are LOG_AUTHPRIV and LOG_ALERT.  If you want to
configure other facilities for syslog output, use the output plugin directives
in the rules files (see the snort.conf file for more information).

and several command line examples where -s is followed by -h:

1) Log to default (decoded ASCII) facility and send alerts to syslog
snort -c snort.conf -l ./log -s -h 192.168.1.0/24 

2) Log to the default facility in /var/log/snort and send alerts to a fast
alert file:
snort -c snort.conf -s -h 192.168.1.0/24

man snort says:

-s Send alert messages to syslog.  On linux boxen, they will appear in
   /var/log/secure, /var/log/messages on many other platforms.

So I'm not seeing that syntax, anywhere...


> And I'm very mixed up in relating the command line options to the config 
> file.  What I mean is; I can add the '-i' command line option to 
> designate the interface to watch, but how would I put this into the 
> config file instead of on the command line?

The command line overrules the snort.conf settings; there's no way
that I know of to specify the interface in snort.conf


> Am I missing something or is there no 'search' feature in the mailing 
> list archieves at Geocrawler? I really feel like a novice (which I 
> really am when it comes to Snort).

There isn't that I know of. Personally, I prefer Neohapsis for
archives, see:

http://archives.neohapsis.com/archives/snort/

These, at least, can be sorted by author, subject, or thread..



- John
-- 
"You are in a little maze of twisty passages, all different."

PGP key      http://www.finchhaven.com/pages/gpg_pubkey.html
Fingerprint  FE 97 0C 57 08 43 F3 EB 49 A1 0C D0 8E 0C D0 BE C8 38 CC B5 










More information about the Snort-users mailing list