[Snort-users] unified format
Roland Turner (SourceForge)
raz.fs.arg at ...9950...
Fri Aug 19 07:36:55 EDT 2005
Igor Belikov said:
> - >8 - - >8 - - >8 - part of snort.conf - >8 - - >8 - - >8 -
> output alert_unified: filename snort.alert, limit 128
> output log_unified: filename snort.log, limit 128
You only need the latter.
> startproc $SNORT_BIN -d -D -i any -l $SNORT_LOG -c $SNORT_CONF
> startproc $BARNYARD_BIN -D -c $BARNYARD_CONF -d $SNORT_LOG -f
> snort.alert -w $SNORT_LOG/barnyard.waldo
Looks reasonable, except that you want snort.log, not snort.alert.
> When I use "-f snort.alert" - I get alert events in DB, but don't get
> payload. When I use "-f snort.log" - I don't get alert events in DB.
Ah, this may be the problem. If the rule action is "alert" then the data
presented to the output plugins does not include the payload. There is no
configuration of anything that can get around this, IIRC. You need to be
setting the actions to "log" if you want the payload.
More information about the Snort-users