Snort Output plug in questions.

[Vjay LaRosa <vjayl () emc com>]

Hello,

Quick question about output plugins. I am currently using the following
in my rules file,

output alert_fast: /opt/snort/log/alert
output database: alert mysql, dbname=snort user=mysql host=localhost
password=test123 sensor_name=production encoding=ascii detail=full

My snort command line looks like this,

/opt/snort/bin/snort -D -i qfe6 -c /opt/snort/conf/rules.conf -l
/opt/snort/log -X -d

My question is this.

If I want to log everything to the DB, but I also want to just log the
alert (not
the packet info) to the /opt/snort/log/alert file. This is not what is
happening currently. The full
packet is still being logged to disk in the /opt/snort/log/X.X.X.X
directories.

So if I leave off the -X -d on the command line will I be able to still
get the full packet in the DB,
and just the alerts to the alert file? Thanks!

vjl



--
 V.Jay LaRosa                           EMC Corporation
 Systems Administrator                  171 South Street
 (508)435-1000 ext 14957                Hopkinton, MA 01748
 (508)497-8082 fax                      www.emc.com