[Snort-users] confuse with alerts file

Bamm Visscher bamm.visscher at ...11827...
Tue Sep 28 12:55:36 EDT 2004


Yes, he is LOGing to binary (I see the -b option), but he is ALERTing
to something else. If you do NOT define an alert output in your
snort.conf or on the cmd line, but use -b on the command line, you
will ALERT to /var/log/snort/alert and LOG to snort.log.########. LOG
and ALERT are two seperate facilities. One switch CANNOT affect them
both.  In my previous response, my guess was that he is using "output
database: alert, blah" in his snort.conf on the second machine and
"output database: log" on the original.  I just reread his post
though, and I think he is saying he sees alert data in
/var/log/messages (it's a hard post to follow), so he must of turned
on the ALERT_SYSLOG function in his snort.conf on the second machine
or is using switches not included in his original post.

Maku,

Can you send the exact cmd line switches and output of `grep '^output'
snort.conf` to the list?

Bammkkkk
 


On Tue, 28 Sep 2004 15:15:45 -0400, Esler, Joel - Contractor
<joel.esler at ...9426...> wrote:
> In the default setup, if you log to binary it /will not/ generate the
> ascii mode, however, maku says that the log files being produced are
> snort.log.###..  This is indicative of binary logging mode.
> 
> J
> 
> 
> 
> -----Original Message-----
> From: Bamm Visscher [mailto:bamm.visscher at ...11827...]
> Sent: Tuesday, September 28, 2004 3:07 PM
> To: Esler, Joel - Contractor
> Cc: maku bex; snort-users at lists.sourceforge.net
> Subject: Re: [Snort-users] confuse with alerts file
> 
> Comments inline.
> 
> On Tue, 28 Sep 2004 12:06:54 -0400, Esler, Joel - Contractor
> <joel.esler at ...9426...> wrote:
> > Because you are using the -b option (binary logging) it is logging
> > into pcap format.  Remove the -b to generate an alert file.  However,
> > -b is much more useful if you are familiar with Tcpdump or ethereal.
> >
> > Joel
> >
> 
> No, that is not correct. The -b (binary logging) option has nothing to
> do with an alert file being generated.  I am not sure why the output
> facilities are so misunderstood, but here again is an explanation.
> 
> Snort has two output facilities: alert and log. The default plugin for
> the alert facility is ALERT_FULL and the default log facility is
> LOG_ASCII. ALERT_FULL is your std alert output to the /var/log/alert
> file, while LOG_ASCII writes packet data in ascii format to directories
> and files based on ip address/protos/ports/etc.  The -b option changes
> the default behavior of the log facility only (to LOG_PCAP).
> 
> >
> >
> > -----Original Message-----
> > From: snort-users-admin at lists.sourceforge.net
> > [mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of maku bex
> > Sent: Monday, September 27, 2004 8:06 AM
> > To: snort-users at lists.sourceforge.net
> > Subject: [Snort-users] confuse with alerts file
> >
> > i'm just started with snort.....the sensor was running
> > fine lately.....
> > but sometimes.....when i'm trying to play around with
> > it into another
> > new box.....the snort itself
> > is not generate any output into alerts file which is
> > located in /var/log/snort
> > FYI, i usually use this configuration...
> > [snort.conf]
> > output database: log, mysql,
> >
> > and i run with this command...
> > snort -qbID -i eth0 -c /etc/snort/snort.conf -u snort
> > -g snort m 007
> >
> > then i cd to /var/log/snort/
> > what i'm confused is theres no alerts file here but
> > except of snort.log.smething
> > so i tail messages log in /var/log/ , yes the snort
> > can see packets
> > going through....
> > but why it not generates the alerts file like in the
> > 1st box...?
> > can anyone help me out....
> 
> Sounds like you may have your database output plugin set to use the
> alert facility (output database: alert VERSUS output database: log). I'd
> double check that.
> 
> Bammkkkk
> 
> --
> sguil - The Analyst Console for NSM
> http://sguil.sf.net
> 



-- 
sguil - The Analyst Console for NSM
http://sguil.sf.net




More information about the Snort-users mailing list