Snort mailing list archives
RE: Repost: Syslog, but I don't want it
From: Marc Thompson <Marc.Thompson () bops com>
Date: Sun, 3 Jun 2001 20:56:49 -0500
As requested, my snort config without comment lines. I earlier hypothesized that the lack of the '-l' command-line argument to snort caused it to log to syslog by default. My hypothesis turned out to be wrong, though. So, I'm still having the problem. My current snort command line is: snort -c /etc/snort/snort.conf -i eth1 -Dd -l /var/log/snort Thank you, Marc Thompson ** Snort conf file. Only thing different is that I've obfuscated the IP addresses. var HOME_NET xxx.xxx.xxx.xxx/xxx var EXTERNAL_NET any preprocessor defrag preprocessor http_decode: 80 8080 preprocessor portscan: $HOME_NET 4 3 portscan.log output log_tcpdump: tcpdump.out output database: log, mysql, user=snort password=xxxx dbname=snort host=xxxx sensor_name=nids encoding=hex include /etc/snort/webcgi-lib include /etc/snort/webcf-lib include /etc/snort/webiis-lib include /etc/snort/webfp-lib include /etc/snort/webmisc-lib include /etc/snort/overflow-lib include /etc/snort/finger-lib include /etc/snort/ftp-lib include /etc/snort/smtp-lib include /etc/snort/telnet-lib include /etc/snort/misc-lib include /etc/snort/netbios-lib include /etc/snort/scan-lib include /etc/snort/ddos-lib include /etc/snort/backdoor-lib #include /etc/snort/ping-lib include /etc/snort/rpc-lib include /etc/snort/virus-lib ******************************************* Marc Thompson IT Site Manager BOPS, Inc. 7800 Shoal Creek Blvd. Suite 200N Austin, TX 78757 Direct: (512)407-1103 Fax: (512)346-8407 This message is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure, or distribution is prohibited. If you are not the intended recipient, please contact the sender and destroy all copies of the original message. -----Original Message----- From: Fyodor [mailto:fygrave () tigerteam net] Sent: Saturday, June 02, 2001 5:03 AM To: Marc Thompson Cc: 'snort-users () lists sourceforge net'; 'joey () silicondefense com' Subject: Re: [Snort-users] Repost: Syslog, but I don't want it On Fri, Jun 01, 2001 at 10:10:10AM -0500, Marc Thompson wrote:
Joe, You recommended that I run snort without the -D (Daemon-mode) option. I tried this, ran nmap, alerts fired but weren't sent to syslog. This is the behavior that I want, so your idea worked. So, it seems that running snort in Daemon mode enables syslog logging via the LOCAL facility. I imagine that this is by design.
By design only errors and warnings are logged via syslog if it's running in daemon mode.
What do you recommend I try next? Bug report? Enhancement Request?
Well, if you chould show us relevant snippets of the configuration file, so we could reproduce 'the bug', it would be helpful indeed. :) _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: Repost: Syslog, but I don't want it, (continued)
- Re: Repost: Syslog, but I don't want it Joe McAlerney (May 31)
- RE: Repost: Syslog, but I don't want it Marc Thompson (Jun 01)
- Re: Repost: Syslog, but I don't want it Fyodor (Jun 02)
- {off-topic} Who goes 2 Defcon9 Cedric (Jun 02)
- Re: {off-topic} Who goes 2 Defcon9 Fyodor (Jun 02)
- RE: {off-topic} Who goes 2 Defcon9 Ofir Arkin (Jun 02)
- Re: {off-topic} Who goes 2 Defcon9 Martin Roesch (Jun 03)
- RE: Repost: Syslog, but I don't want it Neil Dickey (Jun 01)
- RE: Repost: Syslog, but I don't want it Marc Thompson (Jun 01)
- RE: Repost: Syslog, but I don't want it Neil Dickey (Jun 01)
- RE: Repost: Syslog, but I don't want it Marc Thompson (Jun 03)