Snort mailing list archives
Re: snort & logging
From: John Sage <jsage () finchhaven com>
Date: Mon, 11 Jun 2001 12:41:16 -0700
Sven: Logging and alerts are two different animals. At least in a rules file (this is my tcp-local-lib..) you can do this: # alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"TCP to 25 smtp";) # log tcp $EXTERNAL_NET 25 -> $HOME_NET any (msg:"TCP from 25 smtp";) # alert to, log from (Actually I don't thing the (msg: ... ) does anything in the log line...So tcp coming in to *my* port 25 generates an alert, but I'm just logging everything that's *from* port 25
HTH.. - John Sven Olensky wrote:
I know, I know I bet a million people have encountered this before, but I have to ask it, since I am just plainly clueless about how to go about this:how exactly do I switch snort to logging into the alerts file rather than the log file.. can you guys give me the complete line I have to insert into snort.conf for that, please? I cant figure it out.preprocessor output..... and what then? thanks! please cc sol () intelispan net, since I am not a regular subscriber.
-- John Sage FinchHaven, Vashon Island, WA, USA http://www.finchhaven.com/ mailto:jsage () finchhaven com "The web is so, like, five minutes ago..." _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- snort & logging Sven Olensky (Jun 11)
- Re: snort & logging John Sage (Jun 11)
- <Possible follow-ups>
- RE: snort & logging Sven Olensky (Jun 11)
- FW: snort & logging Sven Olensky (Jun 13)
- Re: FW: snort & logging Brian Caswell (Jun 13)
- RE: FW: snort & logging Sven Olensky (Jun 13)