[Snort-users] error at logging to database

beenph beenph at ...11827...
Wed Jun 19 11:15:56 EDT 2013


On Wed, Jun 12, 2013 at 7:17 AM, Miquel Tur <mtur at ...16412...> wrote:
> Hi,
>
> I trying to log at my database log alerts, but if the rule is like:
>
> log tcp any...
>
> It doesn't work and display this warning:
>
> WARNING database [Database()]: Called with Event[0x0] Event Type [0]
> (P)acket [0x9954860], information has not been outputed.
>
> but if the rule is an alert:
>
> alert tcp any... (with the same rule, only changing this)
>
> It works.
>
> I use the output unified2 in snort and a postgresql database for the
> barnyard2 output.
>
> The most curious is that all work correctly if the rule is an alert, but if
> it is an log, i only can see the warning and the event is notsaved in the
> database.

http://manual.snort.org/node29.html#SECTION00421000000000000000


alert - generate an alert using the selected alert method, and then
log the packet

log - log the packet

Barnyard2 Need a event and a packet to output to database.

As i understand it if you only use LOG as a rule action, only the
packet thus the behavior your observe.

-elz




More information about the Snort-users mailing list