NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Snort IDS> 2004-09

Re: [Snort-users] Can't put log message to the special directory

From: Matt Kettler (mkettlerevi-inc.com)
Date: Tue Sep 28 2004 - 10:49:12 CDT

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I think you are missing one minor concept of Snort. Snort has alerts, and
logs. Both. Alerts contain rule matches, logs contain packet captures.

Using your "output alert_fast: /home/snort/fst.log" you've set where your
ALERTS go, but not where your logs go.

The -l command line specifies where both go. And the default format for
logs is ip-hierarchy. However, this is IN ADDITION to the alert file.

Might i suggest switching to tcpdump binary logging or unified logging for
your packet captures:

output alert_fast: /home/snort/fst.log
output log_tcpdump: /home/snort/tcpdump.log

This will give you two files, one with your fast mode alerts, and one
fast-written binary log of packets that you can later read with tcpdump -r.

At 10:06 PM 9/27/2004, Peixiao Guo wrote:
>output alert_fast: /home/snort/fst.log
>log tcp any any -> any 80 (flags:S;)
>I just want to put the “alert_fast” message to the file
>/home/snort/fst.log, but I will get an error if I run this command:
>snort –c snort.conf –d
>the err messages as below:
>Running in IDS mode
>Log directory = /var/log/snort
>ERROR:
>[!] ERROR: Can not get write access to logging directory "/var/log/snort".
>(directory doesn't exist or permissions are set incorrectly
>or it is not a directory at all)
>Fatal Error, Quitting..
>When I run this command:
>snort –c snort.conf –dl /home/snort/
>then all output message will be recorded in IP hierarchy in /home/snort
>directory.
>
>I m wandering how to log the output message to a /home/snort/fst.log file
>Can any senior one give me a directive?
>Thanks very very much!

-------------------------------------------------------
This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170
Project Admins to receive an Apple iPod Mini FREE for your judgement on
who ports your project to Linux PPC the best. Sponsored by IBM.
Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php
_______________________________________________
Snort-users mailing list
Snort-userslists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]