Snort mailing list archives

RE: Snort Syslog Alerts on Win32

From: "L. Christopher Luther" <CLuther () Xybernaut com>
Date: Sun, 5 Jan 2003 00:41:22 -0500

Thanks, Frank.  I'll search the archives (soon) to see what I can find.  I
really liked the Snort forum on RapidNet -- it made searching much easier --
but alas, it's gone by the wayside.  

Christopher


-----Original Message-----
From: Frank Knobbe [mailto:fknobbe () knobbeits com]
Sent: Saturday, January 04, 2003 8:33 PM
To: L. Christopher Luther
Cc: Snort-Users (E-mail)
Subject: RE: [Snort-users] Snort Syslog Alerts on Win32


On Sat, 2003-01-04 at 15:59, L. Christopher Luther wrote:

Unfortunately, using the command line parameter for syslog is not an
option, exactly because I don't want to clobber the other output
plug-ins in the snort.conf file.  And it probably will not work anyway
under Win32 (see the post/rant I just sent to the list).  It appears
that  "syslog" under Win32 really means "Event Log", which just will
not do.  

Presuming that Snort under Win32 will some day really support syslog
output, hopefully then there will also be a "host=" and "port=" option
for the alert_syslog plug-in.



Chris,

if you search the archives you will come across (almost monthly)
postings like yours. I had written a patch to Snort at some time in the
past (I think that's almost 2-3 years ago). That patch will allow you to
use '-s <host>' on the command line under Windows without nullifying the
snort.conf. In other words, Snort still uses all settings from
snort.conf but in addition uses the host from '-s' to send syslog alerts
to.

Why this still hasn't been committed, I can't answer. Even though this
issue is raised very frequently, the developers/committers have yet to
add a satisfactory solution to the source. My patch worked for me (and
others), but I guess wasn't worthy for addition to Snort. Until that
issue is finally addresses, we'll see questions like this asked
routinely.

So, again, search the archives and you'll find a patch for Snort. Apply
that to the source, recompile, can you can send syslog alerts to a
remote host under Windows.

Regards,
Frank

Current thread:

Snort Syslog Alerts on Win32 L. Christopher Luther (Jan 03)
- <Possible follow-ups>
- RE: Snort Syslog Alerts on Win32 L. Christopher Luther (Jan 03)
  - RE: Snort Syslog Alerts on Win32 Don Weber (Jan 03)
- RE: Snort Syslog Alerts on Win32 L. Christopher Luther (Jan 04)
  - RE: Snort Syslog Alerts on Win32 Rich Adamson (Jan 04)
  - RE: Snort Syslog Alerts on Win32 Frank Knobbe (Jan 04)
- RE: Snort Syslog Alerts on Win32 L. Christopher Luther (Jan 04)
- RE: Snort Syslog Alerts on Win32 L. Christopher Luther (Jan 04)
- RE: Snort Syslog Alerts on Win32 L. Christopher Luther (Jan 04)
  - RE: Snort Syslog Alerts on Win32 Don Weber (Jan 05)