[Snort-users] Snort alert file missing?

elof at ...6680... elof at ...6680...
Thu Mar 28 12:51:58 EDT 2013


I would suggest:

In your snort.conf:
output unified2: filename snort.unified2
output alert_fast: snort.alert

In your barnyard2.conf:
output log_tcpdump: barnyard2.tcpdump
output database: log, <sql-type>, user=x password=xxx etc


This will result in snort always logging to unified2 and to an ascii-file 
immediately, even if barnyard2 and/or the sql server is offline.

Barnyard2 will then read events from unified2 and output them both to a 
pcap file and to the sql server.

/Elof


On Thu, 28 Mar 2013, Joel Esler wrote:

> On Mar 28, 2013, at 11:07 AM, Nicholas Bogart <nickybzoss at ...11827...> wrote:
>
>> Snort Version 2.8.5.2
>
> Current version is 2.9.4.1, you should update.
>
>>
>> I have walked into an office where we are using snort connected to a mysql database.  There doesn't seem to be an alert file.  If we have setup a database connection will it no longer also store stuff in the alert file or is there a setting I am missing?
>
> If your output method is DB, then your output method is not set to log to disk.
>
> Keep in mind, while you are upgrading, that direct-to-db output has been removed from newer versions of Snort (started in 2.9.3.0), so you need to use barnyard2 to insert into the DB.
>
> --
> Joel Esler
> Senior Research Engineer, VRT
> OpenSource Community Manager
> Sourcefire




More information about the Snort-users mailing list