Hi Raymond,
Solution that works:
/usr/local/bin/snort -Dq -de -o -c /usr/local/etc/snort/snort.conf =
-i mi0 -u user -g group
sleep 2
rm /var/log/snort/alert
this solution will not work. If snort opens the alert file and populates
it you can not remove it as long as one process has opened the file.
The rm command will remove the directory entry but the file system
will get filled up until snort is stopped.
Once more:
+ There are two output facilities: "alert" and "log".
+ The database output plugin can be attached to one of it, that is the
first thing after output database:
output database: log, ...
output database: alert, ...
+ If you use "alert" then you should also use "-K none" or "-N".
+ If you use "log" then you should also use "-A none".
+ If a database output plugin for "alert" is activated, then no
alert files should be written. But you will get log files aka
pcap files. The option "-K none" or "-N" do avoid this.
+ If a database output plugin for "log" is used, then an alert
file is generated and all alerts are written to it but no log
files are created. In this case you should use "-A none" and
snort will only call log functions.
Activating an output plugin will disable the writing of the files
for this facility. But since you are usually only activating an
output plugin for one facility, either "alert" or "log", you will
still get the files for the other one. Therfore exist two option,
(these overwrite configuration file settings):
+ "-K none" or "-N" --> no "log" files
+ "-A none" --> no "alert" files
A final note:
+ preprocessors usually call only alert functions.
+ The "tag" keyword will call only log functions for the tagged
packets. (Do not confuse "Tagged Packets" with the splitted
reassembled TCP streams of the unified output plugin.)
So with the normal database output plugin you will loose some informations
or you have to create to output plugins, one for "log" and one for "alert".
But then you will get most alets twice, they are sent to the "log" and
"alert" facility.
Of course you can use FLoP, this will log each alert only one time if you
like...
Best regards
Dirk
-------------------------------------------------------
This SF.Net email is sponsored by xPML, a groundbreaking scripting language
that extends applications into web and mobile media. Attend the live webcast
and join the prime developer group breaking into this new coding territory!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
