[Snort-users] Same question again..

John Sage jsage at ...2022...
Sat May 25 10:37:01 EDT 2002


On Linux 2.2.14, snort 1.8.4 build 99, I'm doing this:

Command line:

/usr/bin/snort184 -b -i ppp0 -o -c /usr/local/snort-1.8.4/snort184.conf

Relevant snort.conf:

<snip>
# alert_syslog: log alerts to syslog
# ----------------------------------
# Use one or more syslog facilities as arguments
#
# output alert_syslog: LOG_AUTH LOG_ALERT 

output alert_syslog: LOG_DAEMON LOG_ALERT
# keep as from 1.8.2 - this is FACILITY-LEVEL, I believe.. 
# -------------------------------------------------
# output alert_full

output alert_full: /var/log/snort/alert184.full
# keep as from 1.8.2 # attempted in snort182.conf for snort 1.8.2 11/25/01 - works ;-)
# attempted in snort18REL.conf for snort 1.8.1-RELEASE
# hasn't been shown in snort.conf for several releases: works as from 1.7
<snip>


This binary logs to this sort of a file, for example:

4678983 May 20 15:19 snort-0520 at ...5939...


and alerts go to this sort of a file:

11226 May 20 15:14 alert184.full-0520 at ...5939...


and syslog get alerts, and logcheck picks them up, thus:

<snip>
Security Violations
=-=-=-=-=-=-=-=-=-=
May 20 15:14:35 greatwall snort: [1:0:0] TCP to 1433 MS MySQL server {TCP}
+211.202.3.249:2986 -> 12.82.133.65:1433
<snip>


So this works for me...

YMMV..


- John
-- 
You simply can never have too many shells

PGP key      http://www.finchhaven.com/pages/gpg_pubkey.html
Fingerprint  FE 97 0C 57 08 43 F3 EB 49 A1 0C D0 8E 0C D0 BE C8 38 CC B5 



On Thu, May 23, 2002 at 03:36:46PM -0400, C Boss wrote:
> Guys, help me out here please. This is the second time I have put out this 
> question. Is the question plain stupid or do you need more information. 
> Please let me know.
> 
> "I want to log in a binary format and thus am using the -b option. I am also 
> logging all alerts to syslog. So I have something like LOG_LOCAL7 LOG_ALERTS 
> in the snort.conf file.
> 
> The problem is that if I use the -b oprion with Snort, I don't see any
> alerts in the syslog.
> 
> Do the two don't work together ?"
> 
> Thanks.




More information about the Snort-users mailing list