[Snort-users] unified format

Roland Turner (SourceForge) raz.fs.arg at ...9950...
Fri Aug 19 07:36:55 EDT 2005

Igor Belikov said:

> - >8 - - >8 - - >8 -  part of snort.conf  - >8 - - >8 - - >8 -
> output alert_unified: filename snort.alert, limit 128
> output log_unified: filename snort.log, limit 128

You only need the latter.

> startproc $SNORT_BIN -d -D -i any -l $SNORT_LOG -c $SNORT_CONF
> snort.alert -w $SNORT_LOG/barnyard.waldo

Looks reasonable, except that you want snort.log, not snort.alert.

> When I use "-f snort.alert" - I get alert events in DB, but don't get
> payload. When I use "-f snort.log" - I don't get alert events in DB.

Ah, this may be the problem. If the rule action is "alert" then the data
presented to the output plugins does not include the payload. There is no
configuration of anything that can get around this, IIRC. You need to be
setting the actions to "log" if you want the payload.

- Raz

More information about the Snort-users mailing list