[Snort-users] Same question again..

C Boss cboss99 at ...125...
Wed May 29 07:22:11 EDT 2002


This is how I startup Snort:

/usr/local/snort -b snort.conf -i eth0 -D

THis is how the relevant part of my snort.conf looks like:

output alert_syslog: LOG_LOCAL7 LOG_ALERT

output log_tcpdump: snort.log


>From: John Sage <jsage at ...2022...>
>To: C Boss <cboss99 at ...125...>
>CC: snort-users at lists.sourceforge.net
>Subject: Re: [Snort-users] Same question again..
>Date: Sat, 25 May 2002 10:36:36 -0700
>
>On Linux 2.2.14, snort 1.8.4 build 99, I'm doing this:
>
>Command line:
>
>/usr/bin/snort184 -b -i ppp0 -o -c /usr/local/snort-1.8.4/snort184.conf
>
>Relevant snort.conf:
>
><snip>
># alert_syslog: log alerts to syslog
># ----------------------------------
># Use one or more syslog facilities as arguments
>#
># output alert_syslog: LOG_AUTH LOG_ALERT
>
>output alert_syslog: LOG_DAEMON LOG_ALERT
># keep as from 1.8.2 - this is FACILITY-LEVEL, I believe..
># -------------------------------------------------
># output alert_full
>
>output alert_full: /var/log/snort/alert184.full
># keep as from 1.8.2 # attempted in snort182.conf for snort 1.8.2 11/25/01 
>- works ;-)
># attempted in snort18REL.conf for snort 1.8.1-RELEASE
># hasn't been shown in snort.conf for several releases: works as from 1.7
><snip>
>
>
>This binary logs to this sort of a file, for example:
>
>4678983 May 20 15:19 snort-0520 at ...5939...
>
>
>and alerts go to this sort of a file:
>
>11226 May 20 15:14 alert184.full-0520 at ...5939...
>
>
>and syslog get alerts, and logcheck picks them up, thus:
>
><snip>
>Security Violations
>=-=-=-=-=-=-=-=-=-=
>May 20 15:14:35 greatwall snort: [1:0:0] TCP to 1433 MS MySQL server {TCP}
>+211.202.3.249:2986 -> 12.82.133.65:1433
><snip>
>
>
>So this works for me...
>
>YMMV..
>
>
>- John
>--
>You simply can never have too many shells
>
>PGP key      http://www.finchhaven.com/pages/gpg_pubkey.html
>Fingerprint  FE 97 0C 57 08 43 F3 EB 49 A1 0C D0 8E 0C D0 BE C8 38 CC B5
>
>
>
>On Thu, May 23, 2002 at 03:36:46PM -0400, C Boss wrote:
> > Guys, help me out here please. This is the second time I have put out 
>this
> > question. Is the question plain stupid or do you need more information.
> > Please let me know.
> >
> > "I want to log in a binary format and thus am using the -b option. I am 
>also
> > logging all alerts to syslog. So I have something like LOG_LOCAL7 
>LOG_ALERTS
> > in the snort.conf file.
> >
> > The problem is that if I use the -b oprion with Snort, I don't see any
> > alerts in the syslog.
> >
> > Do the two don't work together ?"
> >
> > Thanks.




_________________________________________________________________
MSN Photos is the easiest way to share and print your photos: 
http://photos.msn.com/support/worldwide.aspx





More information about the Snort-users mailing list