[Snort-users] Different output options for different alerts

Willst Mail willstmail at ...11827...
Wed Mar 17 20:08:43 EDT 2010


Hello,
Is it possible to use different output options for different alerts?
In my specific case, what I would like to do is this:

1. All alerts are handled by the syslog output so they are written to
our logging system for correlation and archival.

2. All alerts except port scans and port sweeps are handled by the
database output so they are written to BASE for trending, reporting,
payload analysis, etc.

Some alerts are more useful for correlation than they are for analysis
and reporting, eg. the port scans/sweeps, not to mention can be
voluminous, so I'd rather not clutter up BASE if necessary.  We are
using barnyard2 v2.1.7 with Snort v2.8.5.x.  Are we somehow able to
achieve this configuration?

Thanks




More information about the Snort-users mailing list