Snort mailing list archives

alert file, database output?!?!

From: "Federico Lombardo" <egopfe () hotmail com>
Date: Wed, 15 Jan 2003 17:29:12 +0100

Hi all, I've a little problem configuring log output.

I wanna log my alert into a mysql database, so let's configure snort.conf
such as:

include ../rules/classification.config

include ../rules/reference.config

preprocessor http_decode: 80 443 3128 8080 unicode iis_alt_unicode
double_encode iis_flip_slash full_whitespace

preprocessor frag2: 16777216, 30

preprocessor stream4: memcap 16777216, detect_state_problems

preprocessor stream4_reassemble: serveronly 21 23 25 53 80 110 111 143 443
513 1433 2138 2255 5631 8080

preprocessor rpc_decode: 111

preprocessor bo: -nobrute

preprocessor portscan: $HOME_NET 4 3 portscan.log

preprocessor portscan-ignorehosts: 212.17.192.49 194.247.160.6 212.17.192.49
194.73.95.85 198.41.0.10 212.216.112.112 212.245.255.2 194.20.8.4

preprocessor arpspoof

preprocessor telnet_decode

# LOGGING

ruletype clear

{

type pass output

output database: alert, mysql, user=snort dbname=snort_alert
host=192.168.0.2 password= sensor_name=fwint0  detail=full

}

ruletype normal

{

type alert output

output database: alert, mysql, user=snort dbname=snort_alert
host=192.168.0.2 password= sensor_name=fwint0

detail=full

}



ruletype redalert

{

type alert output

output database: alert, mysql, user=snort dbname=snort_alert
host=192.168.0.2 password= sensor_name=fwint0 detail=full

output trap_snmp: alert, 4, inform -v 2c -p 163 192.168.0.3 public

}

ruletype archivio

{

type log output

output database: log, mysql, user=snort dbname=snort_log host=192.168.0.2
password= sensor_name=fwint0 detail=full

}



Now i can't manage why into my /var/log/snort/ snort creates an alert file
containing alerts... instead of sending them to the database... why ???

Also, how I can make snort stop to log BAD Packets ? which preprocessor ?



Thank in advance,

Federico


-------------------------------------------------------
This SF.NET email is sponsored by: Take your first step towards giving 
your online business a competitive advantage. Test-drive a Thawte SSL 
certificate - our easy online guide will show you how. Click here to get 
started: http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0027en
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

alert file, database output?!?! Federico Lombardo (Jan 15)
- <Possible follow-ups>
- Re: alert file, database output?!?! Federico Lombardo (Jan 16)
  - Re: alert file, database output?!?! Erek Adams (Jan 16)