[Snort-users] confuse with alerts file

Bamm Visscher bamm.visscher at ...11827...
Tue Sep 28 12:22:20 EDT 2004


Comments inline.

On Tue, 28 Sep 2004 12:06:54 -0400, Esler, Joel - Contractor
<joel.esler at ...9426...> wrote:
> Because you are using the -b option (binary logging) it is logging into
> pcap format.  Remove the -b to generate an alert file.  However, -b is
> much more useful if you are familiar with Tcpdump or ethereal.
> 
> Joel
> 

No, that is not correct. The -b (binary logging) option has nothing to
do with an alert file being generated.  I am not sure why the output
facilities are so misunderstood, but here again is an explanation.

Snort has two output facilities: alert and log. The default plugin for
the alert facility is ALERT_FULL and the default log facility is
LOG_ASCII. ALERT_FULL is your std alert output to the /var/log/alert
file, while LOG_ASCII writes packet data in ascii format to
directories and files based on ip address/protos/ports/etc.  The -b
option changes the default behavior of the log facility only (to
LOG_PCAP).

> 
> 
> -----Original Message-----
> From: snort-users-admin at lists.sourceforge.net
> [mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of maku bex
> Sent: Monday, September 27, 2004 8:06 AM
> To: snort-users at lists.sourceforge.net
> Subject: [Snort-users] confuse with alerts file
> 
> i'm just started with snort.....the sensor was running
> fine lately.....
> but sometimes.....when i'm trying to play around with
> it into another
> new box.....the snort itself
> is not generate any output into alerts file which is
> located in /var/log/snort
> FYI, i usually use this configuration...
> [snort.conf]
> output database: log, mysql,
> 
> and i run with this command...
> snort -qbID -i eth0 -c /etc/snort/snort.conf -u snort
> -g snort m 007
> 
> then i cd to /var/log/snort/
> what i'm confused is theres no alerts file here but
> except of snort.log.smething
> so i tail messages log in /var/log/ , yes the snort
> can see packets
> going through....
> but why it not generates the alerts file like in the
> 1st box...?
> can anyone help me out....

Sounds like you may have your database output plugin set to use the
alert facility (output database: alert VERSUS output database: log).
I'd double check that.

Bammkkkk


-- 
sguil - The Analyst Console for NSM
http://sguil.sf.net




More information about the Snort-users mailing list