Menu
▾
▴
Re: [Os-sim-support] Snort Unified
|
From: Jon U. <jur...@ya...> - 2008-05-13 17:44:18
|
Hi again, The snort issue is about a strange functioning of our compilation. We have a new snort that creates a correct snort.log files... Then I still have the rest of my questions... ossim-agent is not parsing snort's log at all. There are alerts generated but no event inserted in ossim server. Any ideas?? Regards Jon Jon Uriona escribió: > Hi all, > > We have snort (with pf_ring) logging in unified format, analizyng a link > at about 50 Mbps. The output line is: > > "output unified: filename snort, limit 128" > > At this rate, a file (128 MB) is generated every minute or two. My first > question is... Is this normal? There has been a snort config depuration > and the alert rate is not very high, so even if the whole packets > (generating alerts) are logged, it is a very big amount!! The error > should be here... What's your opinion about this?? > > We have an instance of ossim-agent with snortunified plugin, here the > config: > > "[config] > type=detector > enable=yes > source=snortlog > process=snort > start=no; launch plugin process when agent starts > stop=no; shutdown plugin process when agent stops > startup=/etc/init.d/%(process)s start > shutdown=/etc/init.d/%(process)s stop > directory=/var/log/snort/ > prefix=snort > linklayer=ethernet > " > > But there is no snort event logged into the server. How can I assure > that ossim-agent is reading the unified files? lsof does not say > anything (no open files). Is it going to be fast enough to read that > amount of data?? > How can the agent's unified parser be aware of the rotation of this > files (snort logs)? I need to rotate them periodically (disk space is > not infinite...) and I need to know how much of the agents work is done!! > > Please help!! Regards, > > Jon > > > ------------------------------------------------------------------------- > This SF.net email is sponsored by: Microsoft > Defy all challenges. Microsoft(R) Visual Studio 2008. > http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ > > > ------------------------------------------------------------------------ > > _______________________________________________ > Os-sim-support mailing list > Os-...@li... > https://lists.sourceforge.net/lists/listinfo/os-sim-support |
