Snort.org home  
Got Source? About Snort About Sourcefire Snort FAQ
Sourcefire Network Security - the creators of Snort
Snort News Downloads Snort Docs Rules Snort Community Snort Forums Snort Training
Search Site
Search Rules
Account
email
password
not registered?
user preferences

Snort Forums Archive

Archive Home » Snort Advanced » Disabling Snort logging locally

Please note that the categories listed below represent an archived version of our forums pages. To view the current version and be able to post and reply to threads, please register and login here to go to the full forums pages.

[ Notice: Full Version of This Topic ]

Disabling Snort logging locally


Posted by diegodezuniga on July 17, 2005 12:47:05

Hi all,
I'm using Snort within Prelude framework. My concern is to mitigate the system impact on the Snort sensor itself. Though, I would like to disable Snort logging locally in /var/log/snort/ and just sending output to the Prelude Manager. I tried with -N on the syntax but it was still logging.
Then I configured snort.conf with output alert_full: /dev/null and Snort is not writing data on the machine. But I would like to know if this is the best way to avoid Snort to write data on the local machine.

Thanks,

Roberto SL

Posted by DG on July 27, 2005 00:37:55

Hi Roberto,

the -N option only disables the writing of log data, alert data are still stored
on the disk.

I have written a patch to disable this behaviour. It is part of the FLoP patch,
you can find it at

http://www.geschke-online.de/FLoP/

The necessary option is "-Y" (originally I called it '-Q' like 'quiet' but
this option is now used by snort inline...)

Note: The 2.3 patch should also work with 2.3.3, maybe I should seperate this
feature from the "normal" FLoP patch and send it to snort.org?

Best regards

Dirk

Posted by diegodezuniga on September 15, 2005 17:05:49

Hi Dirk,
Thanks for your answer. I will try your patch and I will let you know.
I believe that the FLoP project should be especially considered when Snort is analyzing a large network bandwidth.

Cheers,

Roberto SL


Posted by diegodezuniga on September 15, 2005 17:39:03

>Note: The 2.3 patch should also work with 2.3.3, maybe I should seperate this
>feature from the "normal" FLoP patch and send it to snort.org?

Why not ? :)

Roberto SL

Posted by IFK120 on September 30, 2005 00:50:05

I just found a solution without patching!
Just type the string "output log_null" in your snort.conf after string "output database bla-bla-bla".
So it seems like this:
--------------------------------------------------------------
output database: alert, mysql, user=(user) password=(password)dbname=snort....
output log_null
--------------------------------------------------------------
Enjoy!
site feedback | Terms of Use | Privacy Policy | forum archives ©2007 Snort and Sourcefire are registered trademarks of Sourcefire, Inc. All rights reserved.