[Snort-users] confuse with alerts file

Esler, Joel - Contractor joel.esler at ...9426...
Tue Sep 28 12:24:45 EDT 2004

In the default setup, if you log to binary it /will not/ generate the
ascii mode, however, maku says that the log files being produced are
snort.log.###..  This is indicative of binary logging mode.


-----Original Message-----
From: Bamm Visscher [mailto:bamm.visscher at ...11827...] 
Sent: Tuesday, September 28, 2004 3:07 PM
To: Esler, Joel - Contractor
Cc: maku bex; snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] confuse with alerts file

Comments inline.

On Tue, 28 Sep 2004 12:06:54 -0400, Esler, Joel - Contractor
<joel.esler at ...9426...> wrote:
> Because you are using the -b option (binary logging) it is logging 
> into pcap format.  Remove the -b to generate an alert file.  However, 
> -b is much more useful if you are familiar with Tcpdump or ethereal.
> Joel

No, that is not correct. The -b (binary logging) option has nothing to
do with an alert file being generated.  I am not sure why the output
facilities are so misunderstood, but here again is an explanation.

Snort has two output facilities: alert and log. The default plugin for
the alert facility is ALERT_FULL and the default log facility is
LOG_ASCII. ALERT_FULL is your std alert output to the /var/log/alert
file, while LOG_ASCII writes packet data in ascii format to directories
and files based on ip address/protos/ports/etc.  The -b option changes
the default behavior of the log facility only (to LOG_PCAP).

> -----Original Message-----
> From: snort-users-admin at lists.sourceforge.net
> [mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of maku bex
> Sent: Monday, September 27, 2004 8:06 AM
> To: snort-users at lists.sourceforge.net
> Subject: [Snort-users] confuse with alerts file
> i'm just started with snort.....the sensor was running
> fine lately.....
> but sometimes.....when i'm trying to play around with
> it into another
> new box.....the snort itself
> is not generate any output into alerts file which is
> located in /var/log/snort
> FYI, i usually use this configuration...
> [snort.conf]
> output database: log, mysql,
> and i run with this command...
> snort -qbID -i eth0 -c /etc/snort/snort.conf -u snort
> -g snort m 007
> then i cd to /var/log/snort/
> what i'm confused is theres no alerts file here but
> except of snort.log.smething
> so i tail messages log in /var/log/ , yes the snort
> can see packets
> going through....
> but why it not generates the alerts file like in the
> 1st box...?
> can anyone help me out....

Sounds like you may have your database output plugin set to use the
alert facility (output database: alert VERSUS output database: log). I'd
double check that.


sguil - The Analyst Console for NSM

More information about the Snort-users mailing list