[Snort-users] confuse with alerts file

Bamm Visscher bamm.visscher at ...11827...
Wed Sep 29 06:29:29 EDT 2004


The line "output alert_syslog: LOG_AUTH LOG_ALERT" is causing alerts
to go to syslog.

Add the line "output alert_full: alert" for alerting to /var/log/snort/alert.

Bammkkkk



On Tue, 28 Sep 2004 19:54:15 -0700 (PDT), maku bex <maku_bexs at ...131...> wrote:
> thx for replying...
> the scenario is i have a one box installed with
> snort..
> and i'm trying to deploy the snort into another box as
> well, the configuration is same
> [snort.conf]
> [Unix flavours should use this format...]
> output alert_syslog: LOG_AUTH LOG_ALERT
> output database: log, mysql,
> 
> for both snort i run with this command
> snort -qbID -i eth0 -c /etc/snort/snort.conf -u snort
> -g snort m 007
> 
> for box one....its generates the alert file....
> tail -f /var/log/snort/alert
> 
> Sep 29 09:53:00 src at ...12493... snort: [1:2000328:3]
> BLEEDING-EDGE Multiple Non-SMTP Server Emails
> [Classification: Misc activity] [Priority: 3]: <eth0>
> {TCP} x.x.x.x:1138 -> x.x.x.x:25
> Sep 29 09:53:04 src at ...12493... snort: [1:2000328:3]
> BLEEDING-EDGE Multiple Non-SMTP Server Emails
> [Classification: Misc activity] [Priority: 3]: <eth0>
> {TCP} x.x.x.x:1144 -> x.x.x.74:25
> 
> But for the second one....like i said...no alert file
> in /var/log/snort/, which is i dont quite understand
> here...i guest the snort is not running......so i tail
> the messages log
> 
> ping www.google.com
> tail -f /var/log/messages
> it gives me the output:
> Sep 29 10:48:21 vmware snort: Warning: flowbits key
> 'tls1.server_hello.request' is checked but not ever
> set.
> Sep 29 10:48:21 vmware snort: Warning: flowbits key
> 'tls.client_hello.request' is checked but not ever
> set.
> Sep 29 10:48:22 vmware snort: Snort initialization
> completed successfully
> Sep 29 10:38:28 vmware snort: [1:408:5] ICMP Echo
> Reply [Classification: Misc activity] [Priority: 3]:
> <eth0> {ICMP} 216.239.39.99 -> 192.168.0.35
> 
> any ideas..?
> 
> 
> 
> 
> --- Bamm Visscher <bamm.visscher at ...11827...> wrote:
> 
> > Yes, he is LOGing to binary (I see the -b option),
> > but he is ALERTing
> > to something else. If you do NOT define an alert
> > output in your
> > snort.conf or on the cmd line, but use -b on the
> > command line, you
> > will ALERT to /var/log/snort/alert and LOG to
> > snort.log.########. LOG
> > and ALERT are two seperate facilities. One switch
> > CANNOT affect them
> > both.  In my previous response, my guess was that he
> > is using "output
> > database: alert, blah" in his snort.conf on the
> > second machine and
> > "output database: log" on the original.  I just
> > reread his post
> > though, and I think he is saying he sees alert data
> > in
> > /var/log/messages (it's a hard post to follow), so
> > he must of turned
> > on the ALERT_SYSLOG function in his snort.conf on
> > the second machine
> > or is using switches not included in his original
> > post.
> >
> > Maku,
> >
> > Can you send the exact cmd line switches and output
> > of `grep '^output'
> > snort.conf` to the list?
> >
> > Bammkkkk
> >
> >
> >
> > On Tue, 28 Sep 2004 15:15:45 -0400, Esler, Joel -
> > Contractor
> > <joel.esler at ...9426...> wrote:
> > > In the default setup, if you log to binary it
> > /will not/ generate the
> > > ascii mode, however, maku says that the log files
> > being produced are
> > > snort.log.###..  This is indicative of binary
> > logging mode.
> > >
> > > J
> > >
> > >
> > >
> > > -----Original Message-----
> > > From: Bamm Visscher
> > [mailto:bamm.visscher at ...11827...]
> > > Sent: Tuesday, September 28, 2004 3:07 PM
> > > To: Esler, Joel - Contractor
> > > Cc: maku bex; snort-users at lists.sourceforge.net
> > > Subject: Re: [Snort-users] confuse with alerts
> > file
> > >
> > > Comments inline.
> > >
> > > On Tue, 28 Sep 2004 12:06:54 -0400, Esler, Joel -
> > Contractor
> > > <joel.esler at ...9426...> wrote:
> > > > Because you are using the -b option (binary
> > logging) it is logging
> > > > into pcap format.  Remove the -b to generate an
> > alert file.  However,
> > > > -b is much more useful if you are familiar with
> > Tcpdump or ethereal.
> > > >
> > > > Joel
> > > >
> > >
> > > No, that is not correct. The -b (binary logging)
> > option has nothing to
> > > do with an alert file being generated.  I am not
> > sure why the output
> > > facilities are so misunderstood, but here again is
> > an explanation.
> > >
> > > Snort has two output facilities: alert and log.
> > The default plugin for
> > > the alert facility is ALERT_FULL and the default
> > log facility is
> > > LOG_ASCII. ALERT_FULL is your std alert output to
> > the /var/log/alert
> > > file, while LOG_ASCII writes packet data in ascii
> > format to directories
> > > and files based on ip address/protos/ports/etc.
> > The -b option changes
> > > the default behavior of the log facility only (to
> > LOG_PCAP).
> > >
> > > >
> > > >
> > > > -----Original Message-----
> > > > From: snort-users-admin at lists.sourceforge.net
> > > > [mailto:snort-users-admin at lists.sourceforge.net]
> > On Behalf Of maku bex
> > > > Sent: Monday, September 27, 2004 8:06 AM
> > > > To: snort-users at lists.sourceforge.net
> > > > Subject: [Snort-users] confuse with alerts file
> > > >
> > > > i'm just started with snort.....the sensor was
> > running
> > > > fine lately.....
> > > > but sometimes.....when i'm trying to play around
> > with
> > > > it into another
> > > > new box.....the snort itself
> > > > is not generate any output into alerts file
> > which is
> > > > located in /var/log/snort
> > > > FYI, i usually use this configuration...
> > > > [snort.conf]
> > > > output database: log, mysql,
> > > >
> > > > and i run with this command...
> > > > snort -qbID -i eth0 -c /etc/snort/snort.conf -u
> > snort
> > > > -g snort m 007
> > > >
> > > > then i cd to /var/log/snort/
> > > > what i'm confused is theres no alerts file here
> > but
> > > > except of snort.log.smething
> > > > so i tail messages log in /var/log/ , yes the
> > snort
> > > > can see packets
> > > > going through....
> > > > but why it not generates the alerts file like in
> > the
> > > > 1st box...?
> > > > can anyone help me out....
> > >
> > > Sounds like you may have your database output
> > plugin set to use the
> > > alert facility (output database: alert VERSUS
> > output database: log). I'd
> > > double check that.
> > >
> > > Bammkkkk
> > >
> > > --
> > > sguil - The Analyst Console for NSM
> > > http://sguil.sf.net
> > >
> >
> >
> >
> > --
> > sguil - The Analyst Console for NSM
> > http://sguil.sf.net
> >
> 
>                 
> _______________________________
> Do you Yahoo!?
> Declare Yourself - Register online to vote today!
> http://vote.yahoo.com
> 
> -------------------------------------------------------
> This SF.net email is sponsored by: IT Product Guide on ITManagersJournal
> Use IT products in your business? Tell us what you think of them. Give us
> Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more
> http://productguide.itmanagersjournal.com/guidepromo.tmpl
> 
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 



-- 
sguil - The Analyst Console for NSM
http://sguil.sf.net




More information about the Snort-users mailing list