No subject


Thu Nov 23 16:36:19 EST 2017


1)  '-N' on the command line (yes, I know you said it didn't work)=20
2)  In snort.conf, add a 'output log_null' after the 'output database:
alert
...'=20

Also: "Note that command line logging options override any output
options
specified in the configuration file. This allows debugging of
configuration
issues quickly via the command line." [1]=20=20

This could be why specifying '-N' on the command line disables the
output
plugin for MySQL.  Try the 'output log_null' in snort.conf and let us
know
what happens.=20=20


HTH,=20

Christopher=20=20

[0] http://www.theadamsfamily.net/~erek/snort/logging_methods.txt
[1] http://www.snort.org/docs/writing_rules/chap1.html#tth_sEc1.4.1


-----Original Message-----
From: Nick White [mailto:nwhite at ...9112...]
Sent: Wednesday, May 07, 2003 7:48 PM
Cc: snort-users at lists.sourceforge.net
Subject: RE: [Snort-users] disable /var/log/snort logging


You're right, the -N option turns off packet logging.  Sure it doesn't
write to the disk, but it turns off packet logging within mysql as well
- not cool.  Surely there is a way to have snort log everything to mysql
(even packet logging), without dumping data to the hard drive.  I just
can't figure out how.  I'm starting snort with -b (binary logging)
option, which takes care of it crashing after a few minutes under a
really heavy load.  Even still, logging to the disk is a total waste
because I'll never do anything with the binary logs.

-----Original Message-----
From: Anderson Johnston [mailto:andy at ...2878...]=20
Sent: Tuesday, May 06, 2003 3:36 PM
To: Nick White
Cc: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] disable /var/log/snort logging


The -N option should suppress logging (while allowing alerts).

Caveats:
	1. I don't know if it will stop logs to mysql, too.
	2. The option doesn't seem to be working on my
		system  (Solaris 8) under Snort 2.0.

					- Andy

On Tue, 6 May 2003, Nick White wrote:

> Hi All,
> I'm fairly new with snort, so go easy on me.  I'm running snort and
> logging to mysql just fine.  The problem is, it's also logging to
> /var/log/snort.  I need to figure out how to disable this logging to
> disk.  I've looked at all the switches, and I can't seem to figure it
> out.  I tried -A none, but then it stopped alerting to mysql.  I also
> tried -l /dev/null, but it didn't like that one.
>
> Snort starts as a service via:
> /usr/local/bin/snort -u snort -g snort -d -D -c /etc/snort/snort.conf
>
> In snort.conf, I log to mysql with:
> output database: alert, mysql, user=3Dsnortusr password=3Dfakepass
> dbname=3Dsnort host=3Dlocalhost
>
> I'm trying to kill snort with as much data as I can throw at it, and
it
> always dies after a few minutes with:
> May  6 14:54:34 localhost snort: FATAL ERROR: OpenLogFile() =3D>
> fopen(/var/log/snort/10.10.1.30/UDP:138-138) log file: Not a directory
>
> But I KNOW that the snort user has full permission to /var/log/snort.
> But I don't need logging to disk.  It's a waste.  I only want it to
log
> to mysql.
>
> Thanks for your help!
> - nick white
>
>
> -------------------------------------------------------
> Enterprise Linux Forum Conference & Expo, June 4-6, 2003, Santa Clara
> The only event dedicated to issues related to Linux enterprise
solutions
> www.enterpriselinuxforum.com
>
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list
>

------------------------------------------------------------------------
------
** Andy Johnston (andy at ...2878...)          *            pager:
410-678-8949  **
** Manager of IT Security                 * PGP key:(afj2002)
4096/8448B056 **
** Office of Information Technology, UMBC *   4A B4 96 64 D9 B6 EF E3 21
9A **
** 410-455-2583 (v)/410-455-1065 (f)      *   46 1A 37 11 F5 6C 84 48 B0
56 **
------------------------------------------------------------------------
------



-------------------------------------------------------
Enterprise Linux Forum Conference & Expo, June 4-6, 2003, Santa Clara
The only event dedicated to issues related to Linux enterprise solutions
www.enterpriselinuxforum.com

_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=3Dsnort-users


-------------------------------------------------------
Enterprise Linux Forum Conference & Expo, June 4-6, 2003, Santa Clara
The only event dedicated to issues related to Linux enterprise solutions
www.enterpriselinuxforum.com

_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=3Dsnort-users




More information about the Snort-users mailing list