Re: Snort custom logging via rule set?
From: Martin Roesch (roesch@sourcefire.com)Date: 09/26/01
- Previous message: Martin Roesch: "Re: whitehats.com?"
- In reply to: w1re p4ir: "Snort custom logging via rule set?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Message-ID: <3BB121E3.4E35D2D3@sourcefire.com> Date: Tue, 25 Sep 2001 20:31:31 -0400 From: Martin Roesch <roesch@sourcefire.com> To: w1re p4ir <w1rep4ir@disinfo.net> Subject: Re: Snort custom logging via rule set?
You have two options here:
1) Use the "logto" option and specify an output file for particular
rules when they fire. See
http://www.snort.org/docs/writing_rules/chap2.html#tth_sEc2.3.2 for more
info.
2) Use the "ruletype" operator and specify a new rule action type and
output facilities for that type. Look for 'ruletype' in the snort.conf
file for more information.
There is no command line operator for this option, you have to do it in
the rules/configuration file.
-Marty
w1re p4ir wrote:
>
> In light (or dark rather), of the nimda scans that are pounding my snort box. I was curious if there was anyway to, on the command line, log specific rules to a specific log file? ie: snort -c snort.conf -i eth0 -l /var/log/snort -<customlog> /var/log/snort/friggeniisattacks.log.
> You get my point, I know you can send it to syslog and parse it from there, but i'd rather just make it log to a custom log file. If there isn't away how many of you would be interested in a script that does? I might just write one ;p.
> Thanks!
> w1re
>
> ________________________________________________________
> The Best News Source On The Web - http://www.disinfo.com
-- Martin Roesch - President, Sourcefire Inc. - (410)552-6999 roesch@sourcefire.com - http://www.sourcefire.com Snort: Open Source Network IDS - http://www.snort.org
- Previous message: Martin Roesch: "Re: whitehats.com?"
- In reply to: w1re p4ir: "Snort custom logging via rule set?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
