Read the alert log from snort
I have a new instance with snort setup. When I tried to look at the alert log I noticed that the directory doesn't have a /var/log/snort/alert file. I tried to touch this file and to chmod to give read and write access to my snort user but I still have no alert (even if I create a rule to catch all the calls and put them in the log them as errors)
alert ip any any -> any any ( msg: "ICMP packet detected!"; sid: 1; )
Any idea if I am missing something.
By the way here is the command I run for Snort:
sudo /usr/sbin/snort -m 027 -D -d -l /var/log/snort -u snort -g snort -c /etc/snort/snort.conf -S HOME_NET=[192.168.0.0/16] -i eth0
Am I missing something?
Answer
You don't need to create any file.snort will create it when something matches your rule and it generates an alert.To do this start your snort in a full alert mode to log all alerts by something like this
snort -dev -i wlan0 -c /etc/snort/snort.conf -l /var/log/snort/ -A full
Then if you have Linux you can go to the path cd /var/log/snort/ and see your logs by this command:cat alert | grep -i detected