Snort mailing list archives
syslog output plugin
From: "José M. Fandiño" <snort () fadesa es>
Date: Thu, 15 May 2003 16:46:27 +0200
Hello, I'm trying to run snort 2.0 in an OpenBSD machine, but I'm unable to do work the syslog output plugin. Snort is jailed, running as an unprivileged user and the ethernet interface haven't any ip address assigned. System scripts use this line to start snort. /usr/local/snort/bin/snort -t /usr/local/snort -devsI -c ./snort-ids.conf -D -u snortxl0 -g snortxl0 -P 1518 -i xl0 -A full -l /usr/local/snort/var/log/snort/ So, I have this line in my snort-ids.conf output alert_syslog: LOG_AUTH LOG_ALERT syslog daemon open a socket in the jailed environment as you can see. syslogd -a /usr/local/snort/dev/log # file /usr/local/snort/dev/log /usr/local/snort/dev/log: socket and this line in the syslog.conf file catch all messages *.* /var/log/all I only see the snort initialization messages but nothing about alerts. :-? any idea about where is the problem? May 15 14:41:41 rastreador snort: OpenPcap() device xl0 network lookup: xl0: no IPv4 address assigned May 15 14:41:41 rastreador snort: Initializing daemon mode May 15 14:41:41 rastreador snort: PID path stat checked out ok, PID path set to /var/run/ May 15 14:41:41 rastreador snort: Writing PID "17321" to file "/var/run//snort_xl0.pid" May 15 14:41:41 rastreador snort: http_decode arguments: May 15 14:41:41 rastreador snort: Unicode decoding May 15 14:41:41 rastreador snort: IIS alternate Unicode decoding May 15 14:41:41 rastreador snort: IIS double encoding vuln May 15 14:41:41 rastreador snort: Flip backslash to slash May 15 14:41:41 rastreador snort: Include additional whitespace separators May 15 14:41:41 rastreador snort: Ports to decode http on: 80 May 15 14:41:41 rastreador snort: rpc_decode arguments: May 15 14:41:41 rastreador snort: Ports to decode RPC on: 111 32771 May 15 14:41:41 rastreador snort: alert_fragments: INACTIVE May 15 14:41:41 rastreador snort: alert_large_fragments: ACTIVE May 15 14:41:41 rastreador snort: alert_incomplete: ACTIVE May 15 14:41:41 rastreador snort: alert_multiple_requests: ACTIVE May 15 14:41:41 rastreador snort: telnet_decode arguments: May 15 14:41:41 rastreador snort: Ports to decode telnet on: 21 23 25 119 May 15 14:41:41 rastreador snort: command line overrides rules file alert plugin! May 15 14:41:45 rastreador snort: Snort initialization completed successfully -- -----BEGIN GEEK CODE BLOCK----- Version: 3.1 GCS/IT d- s+:+() a- C+++ UBL+++$ P+ L+++ E--- W++ N+ o++ K- w--- O+ M+ V- PS+ PE+ Y++ PGP+>+++ t+ 5 X+$ R- tv-- b+++ DI D++>+++ G++ e- h+(++) !r !z ------END GEEK CODE BLOCK------ ------------------------------------------------------- Enterprise Linux Forum Conference & Expo, June 4-6, 2003, Santa Clara The only event dedicated to issues related to Linux enterprise solutions www.enterpriselinuxforum.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- syslog output plugin José M. Fandiño (May 15)
- <Possible follow-ups>
- RE: syslog output plugin L. Christopher Luther (May 15)