NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Snort IDS> 2001-03

From: Martin Roesch (roeschmd.prestige.net)
Date: Sun Mar 25 2001 - 21:38:03 CST

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

--
Martin Roesch
roeschmd.prestige.net
http://www.snort.org

attached mail follows:

Use the -l switch?

-Marty

John_Delisleceridian.ca wrote: > > Quick update - > > I've used the following with some success: > > command line: > snort -c /var/log/snort/rules/rules.170.153.0.0 -d -D -e -h > 170.153.0.0/16 -i eth1 > > FYI - Because I'm using snorticus, the location of my logs change hourly. > There's an hourly cron job that calls snort with different params for log > directory each time. I modified the code to echo the new log location to > /var/log/snort/rules/alert and I include it into my conf file > > In my conf file I have the following: > output alert_syslog: LOG_AUTH LOG_ALERT > #Get ouput alert info from alert file > include /var/log/snort/rules/alert > > In /var/log/snort/alert, I have this at the moment (will change in an > hour..): > output alert_full: > /var/log/snort/LOGS/hosnortice/20010312.10/170.153.0.0/alert > > Anyhow, the results are close to what I want, I get syslog messaging, an > alert file in /var/log/snort/LOGS/hosnortice/20010312.10/170.153.0.0, but > all my packet logs are in /var/log/snort, not in the same directory as the > alert file. How do I configure the directory for packet logs? > > Any ideas? > > John Delisle > Corporate Technology > Ceridian Canada Ltd > 204-975-5909 > > > Martin Roesch > <roeschmd.prestige.net> To: John_Delisleceridian.ca > Sent by: cc: snort-userslists.sourceforge.net > snort-users-adminlists.sourc Subject: Re: [Snort-users] Syslog and Full Alerting > eforge.net > > > 2001/03/12 12:40 AM > > > > Try using the -l option to specify a logging directory and let us know > if that works. Additionally, make sure you're not specifying any > alerting options on the command line, specify them in the config file. > > -Marty > > John_Delisleceridian.ca wrote: > > > > Is it possible to use syslog and full alterting at the same time? I need > > syslog for notification/paging etc. I need the full logs for analysis. > > > > Has anyone made this work? > > > > John Delisle > > Corporate Technology > > Ceridian Canada Ltd > > 204-975-5909 > > > > _______________________________________________ > > Snort-users mailing list > > Snort-userslists.sourceforge.net > > Go to this URL to change user options or unsubscribe: > > http://lists.sourceforge.net/lists/listinfo/snort-users > > -- > Martin Roesch > roeschmd.prestige.net > http://www.snort.org > > _______________________________________________ > Snort-users mailing list > Snort-userslists.sourceforge.net > Go to this URL to change user options or unsubscribe: > http://lists.sourceforge.net/lists/listinfo/snort-users > > _______________________________________________ > Snort-users mailing list > Snort-userslists.sourceforge.net > Go to this URL to change user options or unsubscribe: > http://lists.sourceforge.net/lists/listinfo/snort-users

-- Martin Roesch roesch

md.prestige.net http://www.snort.org

_______________________________________________ Snort-users mailing list Snort-userslists.sourceforge.net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]