This is Interesting: Free IT Magazines  
Home > Archive > Snort > September 2004 > Re: [Snort-users] Can't put log message to the special





You are viewing an archived Text-only version of the thread. To view this thread in it's original format and/or if you want to reply to this thread please [click here]

Author Re: [Snort-users] Can't put log message to the special
Matt Kettler

2004-09-28, 5:47 pm

I think you are missing one minor concept of Snort. Snort has alerts, and=20
logs. Both. Alerts contain rule matches, logs contain packet captures.

Using your "output alert_fast: /home/snort/fst.log" you've set where your=20
ALERTS go, but not where your logs go.

The -l command line specifies where both go. And the default format for=20
logs is ip-hierarchy. However, this is IN ADDITION to the alert file.

Might i suggest switching to tcpdump binary logging or unified logging for=
=20
your packet captures:

output alert_fast: /home/snort/fst.log
output log_tcpdump: /home/snort/tcpdump.log

This will give you two files, one with your fast mode alerts, and one=20
fast-written binary log of packets that you can later read with tcpdump -r.

At 10:06 PM 9/27/2004, Peixiao Guo wrote:
>output alert_fast: /home/snort/fst.log
>log tcp any any -> any 80 (flags:S;)
>I just want to put the =93alert_fast=94 message to the file=20
>/home/snort/fst.log, but I will get an error if I run this command:
>snort =96c snort.conf =96d
>the err messages as below:
>Running in IDS mode
>Log directory =3D /var/log/snort
>ERROR:
>[!] ERROR: Can not get write access to logging directory "/var/log/snort".
>(directory doesn't exist or permissions are set incorrectly
>or it is not a directory at all)
>Fatal Error, Quitting..
>When I run this command:
>snort =96c snort.conf =96dl /home/snort/
>then all output message will be recorded in IP hierarchy in /home/snort=20
>directory.
>
>I m wandering how to log the output message to a /home/snort/fst.log file
>Can any senior one give me a directive?
>Thanks very very much!



-------------------------------------------------------
This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170
Project Admins to receive an Apple iPod Mini FREE for your judgement on
who ports your project to Linux PPC the best. Sponsored by IBM.
Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php
________________________________________
_______
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists...nfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf....ist=snort-users
Sponsored Links






Free braindumps | Software forum | Database administration forum

Copyright 2003 - 2010 webservertalk.com