[Snort-users] FW: Asking Snort to do too much?

Lance Lloyd lance.lloyd at ...7449...
Thu Aug 28 13:40:11 EDT 2003


Just wanted to say thanks.  Not only did I need to create a separate instance of snort, but I also had to use a different facility, but I eventually got it working.  Thanks for the idea.

Lance

-----Original Message-----
From: Erek Adams [mailto:erek at ...950...]
Sent: Monday, August 25, 2003 9:01 AM
To: Lance Lloyd
Cc: Snort (E-mail)
Subject: Re: [Snort-users] FW: Asking Snort to do too much?


On Fri, 22 Aug 2003, Lance Lloyd wrote:

> Question too vague?

No.  I just thought someone else might chime in, since I was feeling lazy.

> So here's my dilemma.  I want Snort to log to a total of 3 places, a
> Mysql DB, and two different syslogs.  I want all alerts to be sent to
> the DB and one of the logs.  I have a custom ruletype that I would like
> to log to the 2nd syslog. The problem I am having is that all alerts are
> being sent to both syslogs.  I've tried using different facilities and
> different priorities for them, but it still wants to send to both.
> Below are the configuration options I'm using.
>
>
> Here's the relevant part of my conf file:
>
>
> output alert_syslog: LOG_LOCAL5 LOG_ALERT
>
> output database: log, mysql, user=snort dbname=snort2 host=10.17.0.41
> sensor_name=OutsideCorpFirewall
>
> ruletype sev1
> {
>   type alert
>   output alert_syslog: LOG_LOCAL5 LOG_CRIT
>   output database: log, mysql, user=snort dbname=snort host=10.17.0.41
>   sensor_name=OutsideCorpFirewall
>   output database: log, mysql, user=snort dbname=snort2 host=10.17.0.41
>   sensor_name=OutsideCorpFirewall
> }
>
>
> And the relevant part of my syslog.conf
>
> #Snort
> #local5.*                                                /var/log/snort
> local5.alert                                            @10.17.0.41
> local5.crit                                             @10.17.9.18
>
> Can't think of anything I haven't tried.  Thanks in advance.

A couple of things.

*  Try running two instances of Snort.  One with one config and the other
with a second.  Only one logs to the second db and second syslog.

*  For a test, try having both local5.alert and local5.crit log to a local
file on the box.  Check to make sure that the syslog can separate the two.
Make sure that it doesn't have a wierd way of sending *.alert and above to
one file.

Cheers!

-----
Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson


-------------------------------------------------------
This SF.net email is sponsored by: VM Ware
With VMware you can run multiple operating systems on a single machine.
WITHOUT REBOOTING! Mix Linux / Windows / Novell virtual machines
at the same time. Free trial click here:http://www.vmware.com/wl/offer/358/0
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users




More information about the Snort-users mailing list