Snort mailing list archives
Re: How do I supress file-logging but not database-logging?
From: Bamm Visscher <bamm () satx rr com>
Date: Wed, 21 Jan 2004 08:25:34 -0600
Okay, first you need to understand what is going. Snort has two output facilities: ALERT and LOG If you don't define a mechanism for handling each of these, the snort will use the defaults. For ALERT, the default is the alert file (/var/log/snort/alert). For LOG, the default is those funky ip addr directories. In your conf file, you are using: output database: log, mysql, user=$DB_USER password=$DB_PASSWORD which attaches the database output mechanism to the LOG facility. This: output datbase: alert, mysql, blah would attach it to the ALERT facility. Now, to turn of default LOG you use the -N switch. To turn of ALERT, use '-A none'. So, '-A none' should work for you (just don't use -N in conjunction with it, as that will turn of all LOGing - cmd line overrides the conf file). Bammkkkk On Wed, Jan 21, 2004 at 01:58:50PM +0100, Martin Olsson wrote:
On Wed, 21 Jan 2004, Dirk Geschke wrote:I can't get snort to stop logging to file. With '-A none' it is stopped, but this also stop the logging to mysql.the -A option overwrites the output plugins in snort.conf. Try instead the option '-N', this will suppress any normal reporting but the output plugins will still work.That didn't help. snort.conf: config logdir: /usr/sentor/log config alert_with_interface_name config umask: 022 config checksum_mode: none config show_year config interface: em1 config detection: search-method ac config threshold: memcap 131072 config nolog output database: log, mysql, user=$DB_USER password=$DB_PASSWORD dbname=$DB_NAME host=$DB_HOST sensor_name=$SENSOR_NAME config order: pass activation dynamic alert log config reference: sentor http://10.242.2.13/sid/ config classification: unknown,Unknown Traffic,3 alert tcp any any -> any any (msg:"flash - tcp syn"; reference:sentor,9000000.txt; classtype:unknown; sid:9000000; rev:1;) That's all. I just have one single rule. ===== First try: ===== /snort -T -c snort.conf -N -u snort -g snort Running in IDS mode Log directory = /var/log/snort ERROR: [!] ERROR: Can not get write access to logging directory "/var/log/snort". (directory doesn't exist or permissions are set incorrectly or it is not a directory at all) Fatal Error, Quitting.. ===== Second try: ===== (I point out a directory even though I don't want to log anything to it) snort -T -c snort.conf -N -l /usr/sentor/log -u snort -g snort Running in IDS mode Log directory = /usr/sentor/log Initializing Network Interface ed1 --== Initializing Snort ==-- Initializing Output Plugins! Decoding Ethernet on interface ed1 Initializing Preprocessors! Initializing Plug-ins! Parsing Rules file /usr/sentor/etc/snort.conf.flash_catch_all +++++++++++++++++++++++++++++++++++++++++++++++++++ Initializing rule chains... Found logdir config directive (/usr/sentor/log) Initializing Network Interface ed1 database: compiled support for ( mysql ) database: configured to use mysql database: user = flash database: password is set database: database name = catch_all database: host = 10.242.2.10 database: sensor name = flash database: sensor id = 1 database: schema version = 106 database: using the "log" facility 1 Snort rules read... 1 Option Chains linked into 1 Chain Headers 0 Dynamic rules +++++++++++++++++++++++++++++++++++++++++++++++++++ +-----------------------[thresholding-config]---------------------------------- | memory-cap : 131072 bytes +-----------------------[thresholding-global]---------------------------------- | none +-----------------------[thresholding-local]----------------------------------- | none +-----------------------[suppression]------------------------------------------ | none ------------------------------------------------------------------------------- Rule application order: ->pass->activation->dynamic->alert->log --== Initialization Complete ==-- -*> Snort! <*- Version 2.1.1-RC1 (Build 16) By Martin Roesch (roesch () sourcefire com, www.snort.org) ERROR: OpenAlertFile() => fopen() alert file /usr/sentor/log/alert: Permission denied Fatal Error, Quitting.. It still wants to open a file! Is it not possible to turn this off? /Martin
------------------------------------------------------- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- How do I supress file-logging but not database-logging? Martin Olsson (Jan 21)
- Re: How do I supress file-logging but not database-logging? Dirk Geschke (Jan 21)
- Re: How do I supress file-logging but not database-logging? Martin Olsson (Jan 21)
- Re: How do I supress file-logging but not database-logging? Bamm Visscher (Jan 21)
- Re: How do I supress file-logging but not database-logging? Martin Olsson (Jan 21)
- Re: How do I supress file-logging but not database-logging? Martin Olsson (Jan 21)
- Re: How do I supress file-logging but not database-logging? Dirk Geschke (Jan 21)
- Re: How do I supress file-logging but not database-logging? Frank Knobbe (Jan 21)