[Snort-users] Snort3 does not write to alert_full.txt in daemon mode

oleg gv oagvozd at gmail.com
Wed Aug 29 08:56:28 EDT 2018


Hello,
Snort3 does not write to alert_full.txt in daemon mode.

When not in daemon mode (no -D) - it writes it to stdout.

I run snort3:
/usr/bin/snort -D -M --daq-dir /usr/local/lib/snort/daqs --daq-dir
/usr/local/lib/snort_extra/daqs --daq-dir /usr/local/daqm/lib/daq
--create-pidfile -y -t / -l /var/log/idsm/ --plugin-path
/usr/local/lib/snort_extra -c /tmp/snort-config --daq afpacket -i ethernet1
-R /tmp/rules.txt -A alert_full --lua alert_full = { file=true }

 /tmp/rules.txt - contains 1 any-any icmp rule.

At exit I've got in syslog:
.....
snort[4680]: detection
snort[4680]:                  analyzed: 7616
snort[4680]:                hard_evals: 1047
 snort[4680]:              total_alerts: 1047
snort[4680]:                    logged: 1047 -- logged but not apper in
alert_full.txt !
....
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20180829/6d9e5e7b/attachment.html>


More information about the Snort-users mailing list