[Snort-users] Snort alert file missing?

elof at ...6680... elof at ...6680...
Thu Mar 28 12:51:58 EDT 2013

I would suggest:

In your snort.conf:
output unified2: filename snort.unified2
output alert_fast: snort.alert

In your barnyard2.conf:
output log_tcpdump: barnyard2.tcpdump
output database: log, <sql-type>, user=x password=xxx etc

This will result in snort always logging to unified2 and to an ascii-file 
immediately, even if barnyard2 and/or the sql server is offline.

Barnyard2 will then read events from unified2 and output them both to a 
pcap file and to the sql server.


On Thu, 28 Mar 2013, Joel Esler wrote:

> On Mar 28, 2013, at 11:07 AM, Nicholas Bogart <nickybzoss at ...11827...> wrote:
>> Snort Version
> Current version is, you should update.
>> I have walked into an office where we are using snort connected to a mysql database.  There doesn't seem to be an alert file.  If we have setup a database connection will it no longer also store stuff in the alert file or is there a setting I am missing?
> If your output method is DB, then your output method is not set to log to disk.
> Keep in mind, while you are upgrading, that direct-to-db output has been removed from newer versions of Snort (started in, so you need to use barnyard2 to insert into the DB.
> --
> Joel Esler
> Senior Research Engineer, VRT
> OpenSource Community Manager
> Sourcefire

More information about the Snort-users mailing list