[Snort-users] Snort and Syslog

Jeremy Hoel jthoel at ...11827...
Thu Apr 4 11:45:24 EDT 2013


In OSSEC make a local rule to ignore the file and the process?

Or setup snort to not output to syslog..

and you might try running snort with the '-q' flag and see if it's quieter
in the logs.


On Thu, Apr 4, 2013 at 12:23 PM, Phil Daws <uxbod at ...14273...> wrote:

> Hi,
>
> When Snort starts it writes specific information to /var/log/messages eg.
>
> Apr  4 12:01:40 fw1 snort[2951]: [ Port Based Pattern Matching Memory ]
> Apr  4 12:01:40 fw1 snort[2951]: +- [ Aho-Corasick Summary ]
> -------------------------------------
> Apr  4 12:01:40 fw1 snort[2951]: | Storage Format    : Full-Q
> Apr  4 12:01:40 fw1 snort[2951]: | Finite Automaton  : DFA
> Apr  4 12:01:40 fw1 snort[2951]: | Alphabet Size     : 256 Chars
> Apr  4 12:01:40 fw1 snort[2951]: | Sizeof State      : Variable (1,2,4
> bytes)
> Apr  4 12:01:40 fw1 snort[2951]: | Instances         : 294
> Apr  4 12:01:40 fw1 snort[2951]: |     1 byte states : 275
> Apr  4 12:01:40 fw1 snort[2951]: |     2 byte states : 19
> Apr  4 12:01:40 fw1 snort[2951]: |     4 byte states : 0
> Apr  4 12:01:40 fw1 snort[2951]: | Characters        : 249637
>
> How can I redirect those messages to a separate file as it plays havoc
> with OSSEC :) I have tried adding snort.none to rsyslog.conf for
> /var/log/messages and then added snort.* to direct too another file. That
> did not work :(
>
> Any thoughts please ?
>
>
> ------------------------------------------------------------------------------
> Minimize network downtime and maximize team effectiveness.
> Reduce network management and security costs.Learn how to hire
> the most talented Cisco Certified professionals. Visit the
> Employer Resources Portal
> http://www.cisco.com/web/learning/employer_resources/index.html
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130404/52965d5b/attachment.html>


More information about the Snort-users mailing list