Snort mailing list archives
Different output options for different alerts
From: Willst Mail <willstmail () gmail com>
Date: Wed, 17 Mar 2010 20:08:43 -0400
Hello, Is it possible to use different output options for different alerts? In my specific case, what I would like to do is this: 1. All alerts are handled by the syslog output so they are written to our logging system for correlation and archival. 2. All alerts except port scans and port sweeps are handled by the database output so they are written to BASE for trending, reporting, payload analysis, etc. Some alerts are more useful for correlation than they are for analysis and reporting, eg. the port scans/sweeps, not to mention can be voluminous, so I'd rather not clutter up BASE if necessary. We are using barnyard2 v2.1.7 with Snort v2.8.5.x. Are we somehow able to achieve this configuration? Thanks ------------------------------------------------------------------------------ Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Different output options for different alerts Willst Mail (Mar 17)
- Re: Different output options for different alerts Matt Olney (Mar 17)