[Snort-users] SQL logging + ACID

francisv at ...6732... francisv at ...6732...
Tue Sep 10 18:11:02 EDT 2002


Hi,

I've configured snort to run with the following parameters:

	snort -D -N -k none -o -c /usr/local/etc/snort.conf

-N is supposed to turn off packet logging and now I don't see any 'alert'
file in /var/log/snort -- this is good. Snort is also configured to log
alerts to MySQL:

	output database: alert, mysql, user=user password=passwd dbname=db \
	host=localhost

Now, I'm getting this log in ACID:

	   #0-(1-1)        spp_anomsensor: Anomaly threshold exceeded:
12.6369        2002-09-11 08:53:56        151.189.24.18:49311
202.91.160.110:113        TCP

Which normally didn't show up without the "-N" and with "output database:
log, mysql" option. I don't want this logging behavior since it will
obviously flood my db; I only want to log alerts but removing "-N" fills up
disk space too because of /var/log/snort/alert. What should be my
configuration?

---
 francis a. vidal [bitstop network services] | http://www.bitstop.ph
 streaming media + web hosting               | http://www.keystone.ph
 v(02)330-2871,(02)330-2872; f(02)330-2873   | http://www.kuro.ph 





More information about the Snort-users mailing list