[Snort-users] unified format

Roland Turner (SourceForge) raz.fs.arg at ...9950...
Fri Aug 19 07:36:55 EDT 2005


Igor Belikov said:


> - >8 - - >8 - - >8 -  part of snort.conf  - >8 - - >8 - - >8 -
>
> output alert_unified: filename snort.alert, limit 128
> output log_unified: filename snort.log, limit 128


You only need the latter.


> startproc $SNORT_BIN -d -D -i any -l $SNORT_LOG -c $SNORT_CONF
>
> startproc $BARNYARD_BIN -D -c $BARNYARD_CONF -d $SNORT_LOG -f
> snort.alert -w $SNORT_LOG/barnyard.waldo


Looks reasonable, except that you want snort.log, not snort.alert.


> When I use "-f snort.alert" - I get alert events in DB, but don't get
> payload. When I use "-f snort.log" - I don't get alert events in DB.


Ah, this may be the problem. If the rule action is "alert" then the data
presented to the output plugins does not include the payload. There is no
configuration of anything that can get around this, IIRC. You need to be
setting the actions to "log" if you want the payload.

- Raz






More information about the Snort-users mailing list