Snort behavior

["Slighter, Tim" <tslighter () itc nrcs usda gov>]

I have been conducting some regression tests on earlier releases of snort
and have witnessed the erratic results with the syslog plugin.

With 1.8.7:

output alert_syslog:  LOG_LOCAL5

snort -i eth0 -T works just fine without errors

However, regardless of what is specified as the facility, the output ALWAYS
goes to *.info, so perhaps a local5.info would be the appropriate entry in
syslog.conf rather than local5.*  ???

With 1.9.0:

output alert_syslog: LOG_LOCAL5

snort -i eth0 -T does not work and generates an error about an unrecognized
output plugin alert_syslog 

This build does not appear to work with the alert_syslog

Workaround might be to use the -s instead ??

With 1.9.1:

Same behavior as 1.9.0....does not work


Results from 2.0 RC4:


output alert_syslog: LOG_LOCAL5
snort -i eth0 -T appears to work fine with no errors

same behavior with *.info, local5.info might be a better workaround in
syslog.conf


For those of you out there wishing to use syslog output and wish to forward
those alerts over to another host.....don't forget that the centralized
syslog repository needs to be configured to receive network syslogs
(/etc/sysconfig/syslog needs the -r) and pretty certain that the sending
host needs to be configured to forward syslogs (/etc/sysconfig/syslog needs
the -h)

End of boring email......