[Snort-users] Solved Can snort send alerts to the mysql database without writing an output file?
Dirk_Geschke at ...1344...
Fri Mar 10 00:58:03 EST 2006
> Solution that works:
> /usr/local/bin/snort -Dq -de -o -c /usr/local/etc/snort/snort.conf =
> -i mi0 -u user -g group
> sleep 2
> rm /var/log/snort/alert
this solution will not work. If snort opens the alert file and populates
it you can not remove it as long as one process has opened the file.
The rm command will remove the directory entry but the file system
will get filled up until snort is stopped.
+ There are two output facilities: "alert" and "log".
+ The database output plugin can be attached to one of it, that is the
first thing after output database:
output database: log, ...
output database: alert, ...
+ If you use "alert" then you should also use "-K none" or "-N".
+ If you use "log" then you should also use "-A none".
+ If a database output plugin for "alert" is activated, then no
alert files should be written. But you will get log files aka
pcap files. The option "-K none" or "-N" do avoid this.
+ If a database output plugin for "log" is used, then an alert
file is generated and all alerts are written to it but no log
files are created. In this case you should use "-A none" and
snort will only call log functions.
Activating an output plugin will disable the writing of the files
for this facility. But since you are usually only activating an
output plugin for one facility, either "alert" or "log", you will
still get the files for the other one. Therfore exist two option,
(these overwrite configuration file settings):
+ "-K none" or "-N" --> no "log" files
+ "-A none" --> no "alert" files
A final note:
+ preprocessors usually call only alert functions.
+ The "tag" keyword will call only log functions for the tagged
packets. (Do not confuse "Tagged Packets" with the splitted
reassembled TCP streams of the unified output plugin.)
So with the normal database output plugin you will loose some informations
or you have to create to output plugins, one for "log" and one for "alert".
But then you will get most alets twice, they are sent to the "log" and
Of course you can use FLoP, this will log each alert only one time if you
More information about the Snort-users