Snort mailing list archives
RE: Snort 1.9, RH 7.3 and Acid
From: "Beckett, Josh" <JBeckett () enviance com>
Date: Tue, 8 Oct 2002 08:37:47 -0700
From the reference [0] below:
"What this means in practical terms is that if the db plug-in is in alert mode, it will only receive output from alert rules, whereas if it's in "log" mode it will receive output from both log and alert rules." Great...but how do you tell if the plug-in is in alert mode or log mode? Strictly speaking, there was no mention of such a setting in the setup doc that I got from the snort site. Additionally, that doesn't make sense. The DB simply listens for an authorized user to insert some data. It has no "mode." (Maybe it is a reference to the setting that you are changing in the snort.conf file...._shrug_) I checked both links and neither gave me any appreciable information over the doc that I used for setup. http://www.snort.org/docs/snort-rh7-mysql-ACID-1-5.pdf Thanks for the attempt though. The discussion about the difference between log and alert settings is interesting, but it seems to me that the settings are more geared toward syslog-type logging rather than db. The alert setting did start producing output, yet the log setting does not. This is somewhat interesting (esp. since the log setting worked in 1.8.7 but not in 1.9.0), as the log setting should be noisier due to the fact that it should log all packets to the db, yet the db only seems to get info if snort is given the alert setting. -----Original Message----- From: Erek Adams [mailto:erek () theadamsfamily net] Sent: Monday, October 07, 2002 10:15 AM Subject: RE: [Snort-users] Snort 1.9, RH 7.3 and Acid On Mon, 7 Oct 2002, Slighter, Tim wrote:
Changing it from 'alert' to 'log' has nothing to do with the rules, it
only has to do with the output facility. Marty gives a nice breakdown of it in a old message[0] to the list. [0] http://www.theadamsfamily.net/~erek/snort/logging_methods.txt [1] http://acidlab.sourceforge.net/acid_config.html ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort 1.9, RH 7.3 and Acid Beckett, Josh (Oct 04)
- Re: Snort 1.9, RH 7.3 and Acid Addam Schroll (Oct 04)
- <Possible follow-ups>
- RE: Snort 1.9, RH 7.3 and Acid Beckett, Josh (Oct 04)
- RE: Snort 1.9, RH 7.3 and Acid Slighter, Tim (Oct 07)
- RE: Snort 1.9, RH 7.3 and Acid Erek Adams (Oct 07)
- RE: Snort 1.9, RH 7.3 and Acid Beckett, Josh (Oct 07)
- RE: Snort 1.9, RH 7.3 and Acid Kevin Brown (Oct 07)
- RE: Snort 1.9, RH 7.3 and Acid Beckett, Josh (Oct 08)
- RE: Snort 1.9, RH 7.3 and Acid Erek Adams (Oct 08)