No subject


Thu Nov 23 16:36:19 EST 2017



include ../rules/classification.config

include ../rules/reference.config



preprocessor http_decode: 80 443 3128 8080 unicode iis_alt_unicode
double_encode iis_flip_slash full_whitespace

preprocessor frag2: 16777216, 30

preprocessor stream4: memcap 16777216, detect_state_problems

preprocessor stream4_reassemble: serveronly 21 23 25 53 80 110 111 143 443
513 1433 2138 2255 5631 8080

preprocessor rpc_decode: 111

preprocessor bo: -nobrute

var HOME_NET [81.113.172.0/27]

preprocessor portscan: $HOME_NET 4 3 portscan.log

preprocessor portscan-ignorehosts: 212.17.192.49 194.247.160.6 212.17.192.49
194.73.95.85 198.41.0.10 212.216.112.112 212.245.255.2 194.20.8.4

# spade

# arpspoof

preprocessor arpspoof

preprocessor telnet_decode

#  LOGGING



Various Variables Here

...

...



ruletype clear

 {

   type pass output

   output database: alert, mysql, user=snort dbname=snort_alert
host=192.168.0.2 password= sensor_name=fwint0

detail=full

 }



ruletype normal

 {

   type alert output

   output database: alert, mysql, user=snort dbname=snort_alert
host=192.168.0.2 password= sensor_name=fwint0

detail=full

 }





ruletype redalert

 {

   type alert output

   output database: alert, mysql, user=snort dbname=snort_alert
host=192.168.0.2 password= sensor_name=fwint0

detail=full

   output trap_snmp: alert, 4, inform -v 2c -p 163 192.168.0.3 public

 }

ruletype archivio

 {

   type log output

   output database: log, mysql, user=snort dbname=snort_log host=192.168.0.2
password= sensor_name=fwint0 detail=full

}





As you can see, I user the "alert" facility into the database ruletype
declaration.

The problem Is that snort continue to log preprocessor alerts into the
/var/log/snort/alerts file!!!!



I've realized that also rules declared with ruleaction "alert" are logged
into the file and not in the Database. I think is better to create a
ruletype called "alert" to log all of these into the dataset but, alert
ruletype I always  already declared!



How to solve these problems ??




More information about the Snort-users mailing list