Snort mailing list archives
Win32, output alert_syslog: host=xxxx broken?
From: JP Vossen <vossenjp () netaxs com>
Date: Thu, 1 May 2003 17:17:43 -0400 (EDT)
Per [0] and [1], "output alert_syslog: host=loghost:514, LOG_AUTH LOG_ALERT" should work on Windows, yet in Version 2.0.0-ODBC-MySQL-WIN32 (Build 72) [2] it does not seem to. I've tried these, none work (NOT using -s on CLI): output alert_syslog: host=loghost, LOG_AUTH LOG_ALERT output alert_syslog: host=loghost:514, LOG_AUTH LOG_ALERT output alert_syslog: host=192.168.1.5, LOG_AUTH LOG_ALERT output alert_syslog: host=192.168.1.5:514, LOG_AUTH LOG_ALERT Snort starts and runs fine with -T or -v, I get captures in the ./log dir as expected, but no matter what, the events all end up in the Windows Event log, NOT in my loghost's syslog. Loghost is RedHat 8 and it's working as I am getting syslog from other servers (in fact, I'm using BackLog on the Snort Windows box, so I *do* get the Snort alerts-but from Backlog, not Snort. :-( Unfortunately, that is not a possible solution as this config is for a customer who must run Snort on Windows and send to a syslog device doing filtering. Adding Backlog to the mix will break the filters. C:\Snort> egrep "output alert|alert icmp" c:\snort\etc\snort.conf # output alert_syslog: host=10.120.2.61:514, LOG_AUTH LOG_ALERT #output alert_syslog: host=192.168.1.5:514, LOG_AUTH LOG_ALERT #output alert_syslog: host=192.168.1.5, LOG_AUTH LOG_ALERT #output alert_syslog: host=loghost:514, LOG_AUTH LOG_ALERT output alert_syslog: host=loghost, LOG_AUTH LOG_ALERT alert icmp any any -> any any (msg: "HPT-Catch All ICMP";) I'm running really simple (e.g. C:\Snort> bin\snort -c c:\Snort\etc\snort.conf), and added the above temp rule to trigger alerts via ping. Everything works, except the alerts go to the wrong place. I took a peek at the source and it *looked* OK to me, but then I really don't know squat about it. Am I doing something dumb, or is it really broken? If so, when might it be fixed? TIA, JP [0] From: Chris Green <cmg () sourcefire com> Date: Tue, 01 Apr 2003 14:34:49 -0500 Subject: [Snort-announce] Snort 2.0.0 RC2 Available! Changes Since RC1 syslog should work on win32 and unix [1] 2003-03-27 Chris Reid <chris.reid () codecraftconsultants com> Build 63 * src/output-plugins/spo_alert_syslog.c Win32 '-s' now takes no arguments. Host/port info is configured only within snort.conf (output alert_syslog). [2] http://www.snort.org/dl/binaries/win32/snort-2_0_0.exe ------------------------------|:::======|-------------------------------- JP Vossen, CISSP |:::======| jp () jpsdomain org My Account, My Opinions |=========| http://www.jpsdomain.org/ ------------------------------|=========|-------------------------------- "The software said it requires Windows 98 or better, so I installed Linux..." ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Win32, output alert_syslog: host=xxxx broken? JP Vossen (May 01)
- Re: Win32, output alert_syslog: host=xxxx broken? Rich Adamson (May 01)
- Fixed: Win32, output alert_syslog: host=xxxx broken? JP Vossen (May 01)
- Re: Win32, output alert_syslog: host=xxxx broken? Rich Adamson (May 01)