[Snort-users] Dual Alerts ?
L. Christopher Luther
CLuther at ...6333...
Mon Apr 14 10:38:08 EDT 2003
I run two Snort sensors in a Win32 environment. Both sensors "log" to MySQL
and also alert to two separate end-points: syslog and a text file. My
output statements in snort.conf look like:
output alert_fast: alert.ids
output database: log, mysql, host=somehost port=3306 dbname=snortdb
password=somepassword sensor_name=sensor1 encoding=hex
output alert_syslog: LOG_AUTHPRIV LOG_ALERT
My syslog server is a remote server, and I specify the address of that
server using the '-s ipaddr:514' command line parameter for Snort.
I get no duplicate alerts. So what are the exact output statements you're
using in snort.conf, and what is the command line you're using to start
From: David Markle [mailto:davidmarkle at ...5068...]
Sent: Sunday, April 13, 2003 9:44 PM
Subject: [Snort-users] Dual Alerts ?
I would really like to have TWO working OUTPUT PLUGINS: (Databases and
Syslog). From what I have determined, two Syslog FACILITIES are used
(auth.notice and daemon.notice). The auth.notice (which is configurable in
the snort.conf) is used for alerts and daemon.notice is used for snort
Both output plugins are important because I want Syslog to a remote host and
the database output plug for ACID. The problem is, I'm getting dual alerts
in both ACID and Syslog and do not know why, (other than two output plug
entries in the .conf file - duh). Can't the output plugs fork the data
independently ? Is this a limitation of the product or my knowledge ??
Thanks in advance.
This SF.net email is sponsored by: Etnus, makers of TotalView, The debugger
for complex code. Debugging C/C++ programs can leave you feeling lost and
disoriented. TotalView can help you find your way. Available on major UNIX
and Linux platforms. Try it free. www.etnus.com
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-users