Snort mailing list archives
RE: Snort 1.9, RH 7.3 and Acid
From: Erek Adams <erek () theadamsfamily net>
Date: Tue, 8 Oct 2002 09:12:08 -0700 (PDT)
On Tue, 8 Oct 2002, Beckett, Josh wrote:
From the reference [0] below:"What this means in practical terms is that if the db plug-in is in alert mode, it will only receive output from alert rules, whereas if it's in "log" mode it will receive output from both log and alert rules." Great...but how do you tell if the plug-in is in alert mode or log mode? Strictly speaking, there was no mention of such a setting in the setup doc that I got from the snort site. Additionally, that doesn't make sense. The DB simply listens for an authorized user to insert some data. It has no "mode." (Maybe it is a reference to the setting that you are changing in the snort.conf file...._shrug_)
Yep. Have a look at your db output line: output database: log, mysql, user=snort dbname=snort host=localhost If you want to change the word 'log' to 'alert' you change the facility that the db plugin sends to the db.
I checked both links and neither gave me any appreciable information over the doc that I used for setup. http://www.snort.org/docs/snort-rh7-mysql-ACID-1-5.pdf Thanks for the attempt though. The discussion about the difference between log and alert settings is interesting, but it seems to me that the settings are more geared toward syslog-type logging rather than db.
Actually, it's not really geared to anything except Marty. :) The term 'facility' doesn't mean it's geared to syslog. It just means that syslog used the term in a different meaning that Snort. Consider the alert and log facilities (of snort) as a channel on TV. 'Do you want to watch the alert channel or the log channel?' is another way of thinking of it.
The alert setting did start producing output, yet the log setting does not. This is somewhat interesting (esp. since the log setting worked in 1.8.7 but not in 1.9.0), as the log setting should be noisier due to the fact that it should log all packets to the db, yet the db only seems to get info if snort is given the alert setting.
If you do a quick grep thru the rules for ones that start with "log" I'm sure you won't find any. All of them use "alert". So by that, snort would only send to the db what is 'alert' instead of what is labeled 'log'. Cheers! ----- Erek Adams Nifty-Type-Guy TheAdamsFamily.Net ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort 1.9, RH 7.3 and Acid Beckett, Josh (Oct 04)
- Re: Snort 1.9, RH 7.3 and Acid Addam Schroll (Oct 04)
- <Possible follow-ups>
- RE: Snort 1.9, RH 7.3 and Acid Beckett, Josh (Oct 04)
- RE: Snort 1.9, RH 7.3 and Acid Slighter, Tim (Oct 07)
- RE: Snort 1.9, RH 7.3 and Acid Erek Adams (Oct 07)
- RE: Snort 1.9, RH 7.3 and Acid Beckett, Josh (Oct 07)
- RE: Snort 1.9, RH 7.3 and Acid Kevin Brown (Oct 07)
- RE: Snort 1.9, RH 7.3 and Acid Beckett, Josh (Oct 08)
- RE: Snort 1.9, RH 7.3 and Acid Erek Adams (Oct 08)