Snort has two output facilities: "alert" and "log". Each facility is
assigned a default output format if none is specified. For the alert
facility the default is the /var/log/snort/alert file, for the log
facility, it is those funky addr:port files in /var/log/snort. By
using "output database: log" you have changed the log facility from
the default, to using the DB, but you have done nothing with the alert
facility. Since alert calls log (as long as the function was called
with a pointer to a packet), you can safely turn off any alert output
by using '-A none' (and -N would turn off any log output).
Bammkkkk
----- Original Message -----
From: O'Flynn, Derek <doflyn@lsuhsc.edu>
Date: Fri, 24 Sep 2004 16:57:35 -0500
Subject: RE: [Snort-users] Upgrade of Snort
To: "snort-users@lists.sourceforge.net" <snort-users@lists.sourceforge.net>
An update,
I found the problem, on a hunch I checked /var/log/snort and noticed a
big ol' file sitting there. So I deleted it...problem fixed. Why is
snort logging to this file when I have it configured to replicate the
events to a db?
Derek O'Flynn
Enterprise Information Security
LSU Health Sciences Center
doflyn@lsuhsc.edu (504)568-6130
________________________________
--
sguil - The Analyst Console for NSM
http://sguil.sf.net
-------------------------------------------------------
This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170
Project Admins to receive an Apple iPod Mini FREE for your judgement on
who ports your project to Linux PPC the best. Sponsored by IBM.
Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
