[Snort-users] Different output options for different alerts

Matt Olney molney at ...1935...
Wed Mar 17 23:21:14 EDT 2010


Is this what you're looking for?

# You can optionally define new rule types and associate one or more output
# plugins specifically to that type.
#
# This example will create a type that will log to just tcpdump.
# ruletype suspicious
# {
#   type log
#   output log_tcpdump: suspicious.log
# }
#
# EXAMPLE RULE FOR SUSPICIOUS RULETYPE:
# suspicious tcp $HOME_NET any -> $HOME_NET 6667 (msg:"Internal IRC
Server";)
#
# This example will create a rule type that will log to syslog and a mysql
# database:
# ruletype redalert
# {
#   type alert
#   output alert_syslog: LOG_AUTH LOG_ALERT
#   output database: log, mysql, user=snort dbname=snort host=localhost
# }
#
# EXAMPLE RULE FOR REDALERT RULETYPE:
# redalert tcp $HOME_NET any -> $EXTERNAL_NET 31337 \
#   (msg:"Someone is being LEET"; flags:A+;)
Matt

On Wed, Mar 17, 2010 at 8:08 PM, Willst Mail <willstmail at ...11827...> wrote:

> Hello,
> Is it possible to use different output options for different alerts?
> In my specific case, what I would like to do is this:
>
> 1. All alerts are handled by the syslog output so they are written to
> our logging system for correlation and archival.
>
> 2. All alerts except port scans and port sweeps are handled by the
> database output so they are written to BASE for trending, reporting,
> payload analysis, etc.
>
> Some alerts are more useful for correlation than they are for analysis
> and reporting, eg. the port scans/sweeps, not to mention can be
> voluminous, so I'd rather not clutter up BASE if necessary.  We are
> using barnyard2 v2.1.7 with Snort v2.8.5.x.  Are we somehow able to
> achieve this configuration?
>
> Thanks
>
>
> ------------------------------------------------------------------------------
> Download Intel® Parallel Studio Eval
> Try the new software tools for yourself. Speed compiling, find bugs
> proactively, and fine-tune applications for parallel performance.
> See why Intel Parallel Studio got high marks during beta.
> http://p.sf.net/sfu/intel-sw-dev
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20100317/8dbc9921/attachment.html>


More information about the Snort-users mailing list