Snort mailing list archives
Re: Re[4]: unified format
From: "Roland Turner (SourceForge)" <raz.fs.arg () countersnipe com>
Date: Fri, 19 Aug 2005 15:35:51 +0100 (BST)
Igor Belikov said:
- >8 - - >8 - - >8 - part of snort.conf - >8 - - >8 - - >8 - output alert_unified: filename snort.alert, limit 128 output log_unified: filename snort.log, limit 128
You only need the latter.
startproc $SNORT_BIN -d -D -i any -l $SNORT_LOG -c $SNORT_CONF startproc $BARNYARD_BIN -D -c $BARNYARD_CONF -d $SNORT_LOG -f snort.alert -w $SNORT_LOG/barnyard.waldo
Looks reasonable, except that you want snort.log, not snort.alert.
When I use "-f snort.alert" - I get alert events in DB, but don't get payload. When I use "-f snort.log" - I don't get alert events in DB.
Ah, this may be the problem. If the rule action is "alert" then the data presented to the output plugins does not include the payload. There is no configuration of anything that can get around this, IIRC. You need to be setting the actions to "log" if you want the payload. - Raz ------------------------------------------------------- SF.Net email is Sponsored by the Better Software Conference & EXPO September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- unified format Igor Belikov (Aug 18)
- <Possible follow-ups>
- Re: unified format Roland Turner (SourceForge) (Aug 19)
- Re[2]: unified format Igor Belikov (Aug 19)
- Re: Re[2]: unified format Roland Turner (SourceForge) (Aug 19)
- Re[4]: unified format Igor Belikov (Aug 19)
- Re: Re[4]: unified format Roland Turner (SourceForge) (Aug 19)
- Message not available
- Fwd: Re[4]: unified format Bamm Visscher (Aug 19)
- Re: Fwd: Re[4]: unified format Igor Belikov (Aug 22)
- Message not available