Snort mailing list archives

preprocessor not logging into DB

From: "Federico Lombardo" <egopfe () hotmail com>
Date: Thu, 16 Jan 2003 12:53:00 +0100

Using snort 1.9.0 build 209 on a slackware 8.1 linux.

Starting snort with: ./bin/snort -g snort -u snort -o -t /usr/snorteth0 -c
./ect/snort.conf -p -i eth0

From my snort.conf:




include ../rules/classification.config

include ../rules/reference.config



preprocessor http_decode: 80 443 3128 8080 unicode iis_alt_unicode
double_encode iis_flip_slash full_whitespace

preprocessor frag2: 16777216, 30

preprocessor stream4: memcap 16777216, detect_state_problems

preprocessor stream4_reassemble: serveronly 21 23 25 53 80 110 111 143 443
513 1433 2138 2255 5631 8080

preprocessor rpc_decode: 111

preprocessor bo: -nobrute

var HOME_NET [81.113.172.0/27]

preprocessor portscan: $HOME_NET 4 3 portscan.log

preprocessor portscan-ignorehosts: 212.17.192.49 194.247.160.6 212.17.192.49
194.73.95.85 198.41.0.10 212.216.112.112 212.245.255.2 194.20.8.4

# spade

# arpspoof

preprocessor arpspoof

preprocessor telnet_decode

#  LOGGING



Various Variables Here

...

...



ruletype clear

 {

   type pass output

   output database: alert, mysql, user=snort dbname=snort_alert
host=192.168.0.2 password= sensor_name=fwint0

detail=full

 }



ruletype normal

 {

   type alert output

   output database: alert, mysql, user=snort dbname=snort_alert
host=192.168.0.2 password= sensor_name=fwint0

detail=full

 }





ruletype redalert

 {

   type alert output

   output database: alert, mysql, user=snort dbname=snort_alert
host=192.168.0.2 password= sensor_name=fwint0

detail=full

   output trap_snmp: alert, 4, inform -v 2c -p 163 192.168.0.3 public

 }

ruletype archivio

 {

   type log output

   output database: log, mysql, user=snort dbname=snort_log host=192.168.0.2
password= sensor_name=fwint0 detail=full

}





As you can see, I user the "alert" facility into the database ruletype
declaration.

The problem Is that snort continue to log preprocessor alerts into the
/var/log/snort/alerts file!!!!



I've realized that also rules declared with ruleaction "alert" are logged
into the file and not in the Database. I think is better to create a
ruletype called "alert" to log all of these into the dataset but, alert
ruletype I always  already declared!



How to solve these problems ??


-------------------------------------------------------
This SF.NET email is sponsored by: Thawte.com
Understand how to protect your customers personal information by implementing
SSL on your Apache Web Server. Click here to get our FREE Thawte Apache 
Guide: http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0029en
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

preprocessor not logging into DB Federico Lombardo (Jan 16)
- Re: preprocessor not logging into DB [SOLVED] Federico Lombardo (Jan 16)