Snort mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Repost: Syslog, but I don't want it

From: Marc Thompson <Marc.Thompson () bops com>
Date: Fri, 1 Jun 2001 11:27:48 -0500
Neil,

You showed me your snort startup line:

        snort -dD -h 111.222.333.444/24 -l $LOGPATH -c $RULESPATH/$RULESNAME
-o

In my snort configuration file, I was setting tcpdump logging, so hadn't
set the -l $LOGPATH option.  I added the -l $LOGPATH argument on the command
line and it seems to have prevented syslog logging, which is what I want.
Also, it hasn't affected the tcpdump output, which I need.  All is well.

So, looks to me that if you start snort without the -l option, it will 
assume that alerts need to be sent to the syslog facility.  With the -l
option, it sends alerts to the logging dir specified and *not* syslog.

Thanks to everyone who provided me with insights and solutions on
this issue.  I think that the action of the -l option is probably by
design and ensures that alerts get sent somewhere in the event that
-l is not used.

So, this issue is resolved for me and it took less than 24 hours.  If I got
that quality of support from commercial vendors I wouldn't have to use
open/free software :-)

-Marc Thompson

*******************************************
Marc Thompson
IT Site Manager
BOPS, Inc.
7800 Shoal Creek Blvd. Suite 200N
Austin, TX 78757
Direct: (512)407-1103
Fax:  (512)346-8407

This message is for the sole use of the intended recipient(s) and may
contain
confidential and privileged information.  Any unauthorized review, use,
disclosure, or distribution is prohibited.  If you are not the intended
recipient, 
please contact the sender and destroy all copies of the original message.


-----Original Message-----
From: Neil Dickey [mailto:neil () geol niu edu]
Sent: Friday, June 01, 2001 10:24 AM
To: snort-users () lists sourceforge net
Subject: RE: [Snort-users] Repost: Syslog, but I don't want it



Marc Thompson <Marc.Thompson () bops com> wrote:


You recommended that I run snort without the -D (Daemon-mode)
option.  I tried this, ran nmap, alerts fired but weren't sent
to syslog.  This is the behavior that I want, so your idea worked.

So, it seems that running snort in Daemon mode enables syslog
logging via the LOCAL facility.  I imagine that this is by design.


For what it's worth, here's the command line in the script I use
to start Snort1.7 on my system ( Solaris2.7 ):

  snort -dD -h 111.222.333.444/24 -l $LOGPATH -c $RULESPATH/$RULESNAME -o

I think my variables make enough sense that you don't need me to
translate them.  ;-)  This arrangement works fine, in daemon mode,
and *without* logging to syslog.

Perhaps there is a problem with the RedHat implementation of Snort,
but it doesn't exist under Solaris.

Best regards,

Neil Dickey, Ph.D.
Research Associate/Sysop
Geology Department
Northern Illinois University
DeKalb, Illinois
60115

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: