[Snort-users] Snort and Syslog

Phil Daws uxbod at ...14273...
Thu Apr 4 14:49:42 EDT 2013

Hi Jeremy, 

How many rules would be require in OSSEC to suppress those entries! ;) The issue is how to make Snort write to a different file than syslog. I do not wish to suppress the Snort info just redirect to a different file so that I can pick the juicy bits out to monitor. Appreciate the input. 


----- Original Message -----

From: "Jeremy Hoel" <jthoel at ...11827...> 
To: "Phil Daws" <uxbod at ...14273...> 
Cc: snort-users at lists.sourceforge.net 
Sent: Thursday, 4 April, 2013 4:45:24 PM 
Subject: Re: [Snort-users] Snort and Syslog 

In OSSEC make a local rule to ignore the file and the process? 

Or setup snort to not output to syslog.. 

and you might try running snort with the '-q' flag and see if it's quieter in the logs. 

On Thu, Apr 4, 2013 at 12:23 PM, Phil Daws < uxbod at ...14273... > wrote: 


When Snort starts it writes specific information to /var/log/messages eg. 

Apr 4 12:01:40 fw1 snort[2951]: [ Port Based Pattern Matching Memory ] 
Apr 4 12:01:40 fw1 snort[2951]: +- [ Aho-Corasick Summary ] ------------------------------------- 
Apr 4 12:01:40 fw1 snort[2951]: | Storage Format : Full-Q 
Apr 4 12:01:40 fw1 snort[2951]: | Finite Automaton : DFA 
Apr 4 12:01:40 fw1 snort[2951]: | Alphabet Size : 256 Chars 
Apr 4 12:01:40 fw1 snort[2951]: | Sizeof State : Variable (1,2,4 bytes) 
Apr 4 12:01:40 fw1 snort[2951]: | Instances : 294 
Apr 4 12:01:40 fw1 snort[2951]: | 1 byte states : 275 
Apr 4 12:01:40 fw1 snort[2951]: | 2 byte states : 19 
Apr 4 12:01:40 fw1 snort[2951]: | 4 byte states : 0 
Apr 4 12:01:40 fw1 snort[2951]: | Characters : 249637 

How can I redirect those messages to a separate file as it plays havoc with OSSEC :) I have tried adding snort.none to rsyslog.conf for /var/log/messages and then added snort.* to direct too another file. That did not work :( 

Any thoughts please ? 

Minimize network downtime and maximize team effectiveness. 
Reduce network management and security costs.Learn how to hire 
the most talented Cisco Certified professionals. Visit the 
Employer Resources Portal 
Snort-users mailing list 
Snort-users at lists.sourceforge.net 
Go to this URL to change user options or unsubscribe: 
Snort-users list archive: 

Please visit http://blog.snort.org to stay current on all the latest Snort news! 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130404/1fb77b91/attachment.html>

More information about the Snort-users mailing list