[Snort-users] Alert vs. Log?

Nels Lindquist nlindq at ...3834...
Mon Mar 4 15:04:03 EST 2002


Okay, I'm confused.

What exactly is the difference between "log" and "alert?"  I'm using 
snort 1.8.3 with the following output configuration in 
/etc/snort/snort.conf:

output database: log, mysql, user=[user] password=[password] 
dbname=snort

Snort is launched from a SysV init script as follows:

daemon /usr/local/bin/snort -u snort -g snort -d -D \
        -i $INTERFACE -c /etc/snort/snort.conf

Now, I was under the impression that logging to a database was the 
desired behaviour, and that doing so would override the default 
logging to syslog, text file etc.  However, alerts are still being 
recorded in /var/log/snort/alert in plain ASCII.  I don't want 'em 
there; I'm using ACID to look at the alerts which are logged in the 
MySQL database.

So how do I convince snort that I don't want ASCII alerts?  If I add 
"-A none" to the snort command line, then *all* logging (including 
the database) is turned off, not just alerts.  I would have thought 
I'd need "-N" on the command line to turn off logging, but apparently 
not.  If I switch the output database definition to "alert" instead 
of "log", then I don't get all the details about IP addresses, etc.
----
Nels Lindquist <*>
Information Systems Manager
Morningstar Air Express Inc.





More information about the Snort-users mailing list