Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: No alerts

From: Bill McCarty <bmccarty () apu edu>
Date: Mon, 25 Mar 2002 14:39:44 -0800
Hi Erek,
Sorry to be unclear. By alerts, I meant the one-line messages typically sent to snort_fast and the longer messages typically sent to snort_full and analyzed by SnortSnarf.
Thanks for the suggested optimization; that is, logging in only a single format. But, if I log only to binary, how do I get near-real-time alerts?
In any case, this particular box has CPU power to burn. So, generating logs and alerts is a convenience that doesn't seem to be costing me anything.
Using strace sounded like fun. But, I ended up with a b'zillion line trace file. To help find the needle, I decided to compare straces for 1.8.3 and 1.8.4. But I realized that 1.8.4 was compiled for debugging, but 1.8.3 was not. So, I recompiled 1.8.4 without debugging. Then, I ran strace on each version.
Before I analyzed the trace, I discovered that 1.8.4 was properly logging alerts. My guess is that the problem is related to the way I worked about the compilation problem about which I earlier posted. Most recently, I tweaked config.h rather than /usr/include/sys/types.h. Another possibility is that the failure to create alerts only occurs in debug mode.
I'm kinda tired and way behind on the day's other tasks. So, I'm gonna leave well enough alone, unless someone pipes up with further data or problems. In that case, I'm willing to use my setup as a test bench. 

Thanks and Cheers,
--On Monday, March 25, 2002 1:17 PM -0800 Erek Adams <erek () theadamsfamily net> wrote: 


Well...  That's a bit of overkill.  If you are going to log in binary,
there's no need to burn CPU logging any other way.

I'd remove everything but log_tcpdump, then strace the binary and see what
it's trying to open.  It might be something as simple as permissions or a
umask issue from one version to another.


---------------------------------------------------
Bill McCarty, Ph.D.
Associate Professor of Web & Information Technology
School of Business and Management
Azusa Pacific University

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: