[Snort-users] No alerts
bmccarty at ...5196...
Mon Mar 25 16:50:15 EST 2002
Well, I have as much trouble recalling what I read as I do understanding it
in the first place <grin>. And, day by day, I seem to be worse at each.
But, my configuration seems to be sanctioned. From the users manual:
> Multiple output plugins may be specified in the Snort configuration file.
> When multiple plugins of the same type (log, alert) are specified, they
> are "stacked" and called in sequence when an event occurs. As with the
> standard logging and alerting systems, output plugins send their data to
> /var/log/snort by default or to a user directed directory (using the "-l"
> command line switch).
So, am I one of a few rare birds actually stacking multiple output plugins?
My guess is not, but it's merely a guess. I do see that the Honeynet folks
use, or used, a similar configuration. In fact, I think I based mine on
theirs. See <http://project.honeynet.org/papers/honeynet/snort.conf>.
In any case, my question stands: Is there a convenient way to obtain near
real-time alert reporting when logging only to a binary file? Otherwise,
there's a strong reason for WANTING to stack multiple output plugins.
Though it's certainly possible that doing so may increase the frequency or
serverity of snort problems, despite evidence that doing so should work
okay. I dunno.
--On Monday, March 25, 2002 4:28 PM -0500 Brian <bmc at ...950...> wrote:
> According to Bill McCarty:
>> output alert_syslog: LOG_LOCAL1 LOG_INFO
>> output log_tcpdump: snort.log
>> output alert_full: /space1/snort/snort-full
>> output alert_fast: /space1/snort/snort-fast
>> Q: What am I missing?
> A read through the users manual?
> Why are you trying to log to 4 places at once? Don't do that.
> pick one output plugin and stick to that.
More information about the Snort-users