Snort mailing list archives
alert_syslog plugin problem
From: Gema de Toro Sánchez <detorosanchez () yahoo es>
Date: Mon, 26 Jan 2004 12:07:39 +0100 (CET)
Hi! I don't know why alert_syslog plugin doesn't work. I don't find any "/var/log/snort/alert" file. The configuration of snort output plugins seems like this: #################################################################### # Step #3: Configure output plugins # # Uncomment and configure the output plugins you decide to use. # General configuration for output plugins is of the form: # # output <name_of_plugin>: <configuration_options> # # alert_syslog: log alerts to syslog # ---------------------------------- # Use one or more syslog facilities as arguments. Win32 can also # optionally specify a particular hostname/port. Under Win32, the # default hostname is '127.0.0.1', and the default port is 514. # # [Unix flavours should use this format...] output alert_syslog: LOG_AUTH LOG_ALERT # # [Win32 can use any of these formats...] # output alert_syslog: LOG_AUTH LOG_ALERT # output alert_syslog: host=hostname, LOG_AUTH LOG_ALERT # output alert_syslog: host=hostname:port, LOG_AUTH LOG_ALERT # log_tcpdump: log packets in binary tcpdump format # ------------------------------------------------- # The only argument is the output file name. # #output log_tcpdump: tcpdump.log # database: log to a variety of databases # --------------------------------------- # See the README.database file for more information about configuring # and using this plugin. # #output database: log, mysql, user=snort password=duende dbname=snort host=localhost # output database: alert, postgresql, user=snort dbname=snort # output database: log, unixodbc, user=snort dbname=snort # output database: log, mssql, dbname=snort user=snort password=test # unified: Snort unified binary format alerting and logging # ------------------------------------------------------------- # The unified output plugin provides two new formats for logging # and generating alerts from Snort, the "unified" format. The # unified format is a straight binary format for logging data # out of Snort that is designed to be fast and efficient. Used # with barnyard (the new alert/log processor), most of the overhead # for logging and alerting to various slow storage mechanisms # such as databases or the network can now be avoided. # # Check out the spo_unified.h file for the data formats. # # Two arguments are supported. # filename - base filename to write to (current time_t is appended) # limit - maximum size of spool file in MB (default: 128) # output alert_unified: filename snort.alert, limit 258 output log_unified: filename snort.unified.log, limit 256 # You can optionally define new rule types and associate one or # more output plugins specifically to that type. # # This example will create a type that will log to just tcpdump. # ruletype suspicious # { # type log # output log_tcpdump: suspicious.log # } # # EXAMPLE RULE FOR SUSPICIOUS RULETYPE: # suspicious $HOME_NET any -> $HOME_NET 6667 (msg:"Internal IRC Server";) # # This example will create a rule type that will log to syslog # and a mysql database. #ruletype redalert # { # type alert # output alert_syslog: LOG_AUTH LOG_ALERT # output database: log, mysql, user=snort password=duende dbname=snort host=localhost # } # # EXAMPLE RULE FOR REDALERT RULETYPE # redalert tcp $HOME_NET any -> $EXTERNAL_NET 31337 \ # (msg:"Someone is being LEET"; flags:A+;) # # Include classification & priority settings # include classification.config # # Include reference systems # include reference.config ############################################################# Output log_unified and alert_unified plugins are enabled because I've also tried to get the log file "/var/log/snort/alert" using Barnyard. I can get log_unified and alert_unified files but alert_syslog file doesn't appear again. Barnyard.conf is like this: config hostname: snorthost config interface: eth0 config filter: not port 22 processor dp_alert processor dp_log processor dp_stream_stat output alert_fast output log_dump output alert_syslog: LOG_AUTH LOG_ALERT output log_acid_db: mysql, sensor_id 1, database snort, server localhost, user snort, password duende, detail full Does anybody know what I'm doing wrong. Please, I need help. Thank you!! Gema --------------------------------- Antivirus #8226; Filtros antispam #8226; 6 MB gratis ¿Todavía no tienes un correo inteligente?
Current thread:
- alert_syslog plugin problem Gema de Toro Sánchez (Jan 26)
- <Possible follow-ups>
- Re: alert_syslog plugin problem James Nonya (Jan 26)