RE: Snort Syslog Alerts on Win32

[Frank Knobbe <fknobbe () knobbeits com>]

On Sat, 2003-01-04 at 15:59, L. Christopher Luther wrote:
> Unfortunately, using the command line parameter for syslog is not an
> option, exactly because I don't want to clobber the other output
> plug-ins in the snort.conf file.  And it probably will not work anyway
> under Win32 (see the post/rant I just sent to the list).  It appears
> that  "syslog" under Win32 really means "Event Log", which just will
> not do.  
>
> Presuming that Snort under Win32 will some day really support syslog
> output, hopefully then there will also be a "host=" and "port=" option
> for the alert_syslog plug-in.  


Chris,

if you search the archives you will come across (almost monthly)
postings like yours. I had written a patch to Snort at some time in the
past (I think that's almost 2-3 years ago). That patch will allow you to
use '-s <host>' on the command line under Windows without nullifying the
snort.conf. In other words, Snort still uses all settings from
snort.conf but in addition uses the host from '-s' to send syslog alerts
to.

Why this still hasn't been committed, I can't answer. Even though this
issue is raised very frequently, the developers/committers have yet to
add a satisfactory solution to the source. My patch worked for me (and
others), but I guess wasn't worthy for addition to Snort. Until that
issue is finally addresses, we'll see questions like this asked
routinely.

So, again, search the archives and you'll find a patch for Snort. Apply
that to the source, recompile, can you can send syslog alerts to a
remote host under Windows.

Regards,
Frank

Attachment: signature.asc
Description: This is a digitally signed message part