Snort mailing list archives

Previous By Date Next
Previous By Thread Next

alert_syslog plugin problem

From: Gema de Toro Sánchez <detorosanchez () yahoo es>
Date: Mon, 26 Jan 2004 12:07:39 +0100 (CET)

Hi!

I don't know why alert_syslog plugin doesn't work. I don't find any "/var/log/snort/alert" file. The configuration of 
snort output plugins seems like this:

####################################################################

# Step #3: Configure output plugins

#

# Uncomment and configure the output plugins you decide to use.

# General configuration for output plugins is of the form:

#

# output <name_of_plugin>: <configuration_options>

#

# alert_syslog: log alerts to syslog

# ----------------------------------

# Use one or more syslog facilities as arguments. Win32 can also

# optionally specify a particular hostname/port. Under Win32, the

# default hostname is '127.0.0.1', and the default port is 514.

#

# [Unix flavours should use this format...]

output alert_syslog: LOG_AUTH LOG_ALERT

#

# [Win32 can use any of these formats...]

# output alert_syslog: LOG_AUTH LOG_ALERT

# output alert_syslog: host=hostname, LOG_AUTH LOG_ALERT

# output alert_syslog: host=hostname:port, LOG_AUTH LOG_ALERT

# log_tcpdump: log packets in binary tcpdump format

# -------------------------------------------------

# The only argument is the output file name.

#

#output log_tcpdump: tcpdump.log

# database: log to a variety of databases

# ---------------------------------------

# See the README.database file for more information about configuring

# and using this plugin.

#

#output database: log, mysql, user=snort password=duende dbname=snort host=localhost

# output database: alert, postgresql, user=snort dbname=snort

# output database: log, unixodbc, user=snort dbname=snort

# output database: log, mssql, dbname=snort user=snort password=test

# unified: Snort unified binary format alerting and logging

# -------------------------------------------------------------

# The unified output plugin provides two new formats for logging

# and generating alerts from Snort, the "unified" format. The

# unified format is a straight binary format for logging data 

# out of Snort that is designed to be fast and efficient. Used

# with barnyard (the new alert/log processor), most of the overhead

# for logging and alerting to various slow storage mechanisms

# such as databases or the network can now be avoided. 

#

# Check out the spo_unified.h file for the data formats.

#

# Two arguments are supported.

# filename - base filename to write to (current time_t is appended)

# limit - maximum size of spool file in MB (default: 128)

#

output alert_unified: filename snort.alert, limit 258

output log_unified: filename snort.unified.log, limit 256

# You can optionally define new rule types and associate one or 

# more output plugins specifically to that type.

#

# This example will create a type that will log to just tcpdump.

# ruletype suspicious

# {

# type log

# output log_tcpdump: suspicious.log

# }

#

# EXAMPLE RULE FOR SUSPICIOUS RULETYPE:

# suspicious $HOME_NET any -> $HOME_NET 6667 (msg:"Internal IRC Server";)

#

# This example will create a rule type that will log to syslog

# and a mysql database.

#ruletype redalert

# {

# type alert

# output alert_syslog: LOG_AUTH LOG_ALERT

# output database: log, mysql, user=snort password=duende dbname=snort host=localhost

# }

#

# EXAMPLE RULE FOR REDALERT RULETYPE

# redalert tcp $HOME_NET any -> $EXTERNAL_NET 31337 \

# (msg:"Someone is being LEET"; flags:A+;)

#

# Include classification & priority settings

#

include classification.config

#

# Include reference systems

#

include reference.config

#############################################################

   

     Output log_unified and alert_unified plugins are enabled because I've also tried to get the log file 
"/var/log/snort/alert" using Barnyard. I can get log_unified and alert_unified files but alert_syslog file doesn't 
appear again. Barnyard.conf is like this:

config hostname: snorthost

config interface: eth0

config filter: not port 22

processor dp_alert

processor dp_log

processor dp_stream_stat

output alert_fast

output log_dump

output alert_syslog: LOG_AUTH LOG_ALERT 

output log_acid_db: mysql, sensor_id 1, database snort, server localhost, user snort, password duende, detail full



Does anybody know what I'm doing wrong. Please, I need help. Thank you!!

Gema





---------------------------------

    Antivirus #8226; Filtros antispam #8226; 6 MB gratis
    ¿Todavía no tienes un correo inteligente?
Previous By Date Next
Previous By Thread Next

Current thread: