[Snort-users] No alerts

Bill McCarty bmccarty at ...5196...
Mon Mar 25 16:50:15 EST 2002

Hi Brian,

Well, I have as much trouble recalling what I read as I do understanding it 
in the first place <grin>. And, day by day, I seem to be worse at each.

But, my configuration seems to be sanctioned. From the users manual:

> Multiple output plugins may be specified in the Snort configuration file.
> When multiple plugins of the same type (log, alert) are specified, they
> are "stacked" and called in sequence when an event occurs. As with the
> standard logging and alerting systems, output plugins send their data to
> /var/log/snort by default or to a user directed directory (using the "-l"
> command line switch).

So, am I one of a few rare birds actually stacking multiple output plugins? 
My guess is not, but it's merely a guess. I do see that the Honeynet folks 
use, or used, a similar configuration. In fact, I think I based mine on 
theirs. See <http://project.honeynet.org/papers/honeynet/snort.conf>.

In any case, my question stands: Is there a convenient way to obtain near 
real-time alert reporting when logging only to a binary file? Otherwise, 
there's a strong reason for WANTING to stack multiple output plugins. 
Though it's certainly possible that doing so may increase the frequency or 
serverity of snort problems, despite evidence that doing so should work 
okay. I dunno.


--On Monday, March 25, 2002 4:28 PM -0500 Brian <bmc at ...950...> wrote:

> According to Bill McCarty:
>> output alert_syslog: LOG_LOCAL1 LOG_INFO
>> output log_tcpdump: snort.log
>> output alert_full: /space1/snort/snort-full
>> output alert_fast: /space1/snort/snort-fast
>> Q: What am I missing?
> A read through the users manual?
> Why are you trying to log to 4 places at once?  Don't do that.
> pick one output plugin and stick to that.
> -brian

Bill McCarty

More information about the Snort-users mailing list