[Oisf-users] how can see the word alert and drop in my fast.log???

Victor Julien lists at inliniac.net
Fri Jul 5 09:17:36 UTC 2013


On 07/04/2013 04:49 PM, mouna amani wrote:
> I am going to change some rules to drop :
> 
> How can I  know which lines are for the alert events and which are for
> the drop events?????
> if fast.log doesn't put "alert" or "drop" in the log

If you're in inline mode and the rule is set to drop, the fast.log line
will contain [drop].

Cheers,
Victor

> 
> On Thu, Jul 4, 2013 at 4:39 PM, Victor Julien <lists at inliniac.net> wrote:
>> On 07/04/2013 03:11 PM, mouna amani wrote:
>>> I am using the fast.log
>>> I configured to file type: regular
>>> My rules are all set to alerts
>>> I got lines in my fast.log looking like this :
>>>
>>> 10/05/10-10:08:59.667372  [**] [1:2009187:4] ET WEB_CLIENT ACTIVEX iDefense
>>>   COMRaider ActiveX Control Arbitrary File Deletion [**] [Classification: Web
>>>   Application Attack] [Priority: 3] {TCP} xx.xx.232.144:80 -> 192.168.1.4:56068
>>> It is just an example
>>> I want to see the word "alert" in my fast.log
>>>  what should I change ??????
>>
>> Nothing. The alert keyword makes sure the lines get written to the fast
>> log. "alert" itself is not written to it.
>>
>> --
>> ---------------------------------------------
>> Victor Julien
>> http://www.inliniac.net/
>> PGP: http://www.inliniac.net/victorjulien.asc
>> ---------------------------------------------
>>
>> _______________________________________________
>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
>> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>> OISF: http://www.openinfosecfoundation.org/
> 
> 
> 


-- 
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------




More information about the Oisf-users mailing list