[Snort-users] Dual Alerts ?

L. Christopher Luther CLuther at ...6333...
Mon Apr 14 10:38:08 EDT 2003


Hi, David.  

I run two Snort sensors in a Win32 environment.  Both sensors "log" to MySQL
and also alert to two separate end-points:  syslog and a text file.  My
output statements in snort.conf look like:  

  output alert_fast: alert.ids
  output database: log, mysql, host=somehost port=3306 dbname=snortdb
user=snort 
                   password=somepassword sensor_name=sensor1 encoding=hex
detail=Full
  output alert_syslog: LOG_AUTHPRIV LOG_ALERT

My syslog server is a remote server, and I specify the address of that
server using the '-s ipaddr:514' command line parameter for Snort.  

I get no duplicate alerts.  So what are the exact output statements you're
using in snort.conf, and what is the command line you're using to start
Snort?  

- Christopher


-----Original Message-----
From: David Markle [mailto:davidmarkle at ...5068...]
Sent: Sunday, April 13, 2003 9:44 PM
To: snort-users
Subject: [Snort-users] Dual Alerts ?


I would really like to have TWO working OUTPUT PLUGINS: (Databases and
Syslog).  From what I have determined, two Syslog FACILITIES are used
(auth.notice and daemon.notice).  The auth.notice (which is configurable in
the snort.conf) is used for alerts and daemon.notice is used for snort
start/stop etc.  

Both output plugins are important because I want Syslog to a remote host and
the database output plug for ACID.  The problem is, I'm getting dual alerts
in both ACID and Syslog and do not know why, (other than two output plug
entries in the .conf file - duh).  Can't the output plugs fork the data
independently ?  Is this a limitation of the product or my knowledge ??

Thanks in advance.

David Markle




-------------------------------------------------------
This SF.net email is sponsored by: Etnus, makers of TotalView, The debugger 
for complex code. Debugging C/C++ programs can leave you feeling lost and 
disoriented. TotalView can help you find your way. Available on major UNIX 
and Linux platforms. Try it free. www.etnus.com
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20030414/7f56b76f/attachment.html>


More information about the Snort-users mailing list