OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Andrew R. Baker (andrewb_at_snort.org)
Date: Fri Nov 01 2002 - 15:21:56 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Geoff Galitz wrote:
    >
    > On Thursday, October 31, 2002, at 07:33 PM, Andrew R. Baker wrote:
    >
    >> galitz wrote:
    >>
    >>> G'day.
    >>> I am using the latest snort 1.9 and am having a little
    >>> issue. I am logging to a remote MySQL database but I do not want any
    >>> logging to disk at all. It is not clear
    >>> if using the -N parameter will accomplish this. What is the correct
    >>> way to do this?
    >>
    >>
    >> The -N flag turns off all packet logging, including any methods that
    >> you have specified in the config file. I am guessing that you want to
    >> use the Snort database plugin in "log" mode. If that is the case, try
    >> adding "-A none" to the command line to turn off all of the alerting
    >> plugins.
    >>
    >
    > Hmm... well... more specifically at this time, my problem is thus:
    >
    > I have the portscan2 preprocessor configured to run.
    > Ideally I'd like logging and alerting both running.
    > Events are showing up in the MySQL database just fine.
    > But... no matter what I do the portscan2 preprocessor (or
    > some other component) creates /var/snort/scan.log. I cannot
    > get it stop creating entries on disk (using "-N" or "-A none"
    > alternatively
    > both continue to create entries on disk in the /var/snort/scan.log
    > file).

    Well, that is a shortcoming of the portscan2 preprocessor. Like the
    earlier portscan preprocessor, the portscan2 preprocessor generates its
    own logs independent of the standard Snort output system. The only way
    you can prevent it from generating the scan.log file is to turn of the
    preprocessor in the config file or edit the code so that it does not
    generate the file.

    -A

    -------------------------------------------------------
    This sf.net email is sponsored by: See the NEW Palm
    Tungsten T handheld. Power & Color in a compact size!
    http://ads.sourceforge.net/cgi-bin/redirect.pl?palm0001en
    _______________________________________________
    Snort-users mailing list
    Snort-userslists.sourceforge.net
    Go to this URL to change user options or unsubscribe:
    https://lists.sourceforge.net/lists/listinfo/snort-users
    Snort-users list archive:
    http://www.geocrawler.com/redir-sf.php3?list=snort-users