[Snort-sigs] problem with double logging

From: Marco Agostani <m.agostani(at)fineco.it>
Date: Fri May 23 2003 - 06:46:07 EDT

Hi there,

I' ve a problem with snort 2.0 using the default output plugin. If a wrote down a rule like this

log tcp $NET -> .....etc.

my packet being logged double, if the rule say alert I catch only one log.

my snort.conf is

var HOME_NET any
var EXTERNAL_NET any
var HTTP_PORTS 80
var RULE_PATH /etc/snort
preprocessor frag2
preprocessor stream4: detect_scans, disable_evasion_alerts preprocessor stream4_reassemble
preprocessor http_decode: 80 unicode iis_alt_unicode double_encode iis_flip_slash full_whitespace
preprocessor rpc_decode: 111 32771
preprocessor bo
preprocessor telnet_decode
include classification.config
include reference.config

I fire up snort with /usr/local/bin/snort -i eth0 -c /etc/snort/snort.conf -l /var/log/snort

regards
Marco Agostani

---

This SF.net email is sponsored by: ObjectStore. If flattening out C++ or Java code to make your application fit in a relational database is painful, don't do it! Check out ObjectStore. Now part of Progress Software. http://www.objectstore.net/sourceforge

---

Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs Received on Tue May 27 11:18:33 2003