Snort mailing list archives
RE: Repost: Syslog, but I don't want it
From: Marc Thompson <Marc.Thompson () bops com>
Date: Fri, 1 Jun 2001 11:27:48 -0500
Neil, You showed me your snort startup line: snort -dD -h 111.222.333.444/24 -l $LOGPATH -c $RULESPATH/$RULESNAME -o In my snort configuration file, I was setting tcpdump logging, so hadn't set the -l $LOGPATH option. I added the -l $LOGPATH argument on the command line and it seems to have prevented syslog logging, which is what I want. Also, it hasn't affected the tcpdump output, which I need. All is well. So, looks to me that if you start snort without the -l option, it will assume that alerts need to be sent to the syslog facility. With the -l option, it sends alerts to the logging dir specified and *not* syslog. Thanks to everyone who provided me with insights and solutions on this issue. I think that the action of the -l option is probably by design and ensures that alerts get sent somewhere in the event that -l is not used. So, this issue is resolved for me and it took less than 24 hours. If I got that quality of support from commercial vendors I wouldn't have to use open/free software :-) -Marc Thompson ******************************************* Marc Thompson IT Site Manager BOPS, Inc. 7800 Shoal Creek Blvd. Suite 200N Austin, TX 78757 Direct: (512)407-1103 Fax: (512)346-8407 This message is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure, or distribution is prohibited. If you are not the intended recipient, please contact the sender and destroy all copies of the original message. -----Original Message----- From: Neil Dickey [mailto:neil () geol niu edu] Sent: Friday, June 01, 2001 10:24 AM To: snort-users () lists sourceforge net Subject: RE: [Snort-users] Repost: Syslog, but I don't want it Marc Thompson <Marc.Thompson () bops com> wrote:
You recommended that I run snort without the -D (Daemon-mode) option. I tried this, ran nmap, alerts fired but weren't sent to syslog. This is the behavior that I want, so your idea worked. So, it seems that running snort in Daemon mode enables syslog logging via the LOCAL facility. I imagine that this is by design.
For what it's worth, here's the command line in the script I use to start Snort1.7 on my system ( Solaris2.7 ): snort -dD -h 111.222.333.444/24 -l $LOGPATH -c $RULESPATH/$RULESNAME -o I think my variables make enough sense that you don't need me to translate them. ;-) This arrangement works fine, in daemon mode, and *without* logging to syslog. Perhaps there is a problem with the RedHat implementation of Snort, but it doesn't exist under Solaris. Best regards, Neil Dickey, Ph.D. Research Associate/Sysop Geology Department Northern Illinois University DeKalb, Illinois 60115 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Repost: Syslog, but I don't want it Marc Thompson (May 31)
- Re: Repost: Syslog, but I don't want it Joe McAlerney (May 31)
- <Possible follow-ups>
- RE: Repost: Syslog, but I don't want it Marc Thompson (Jun 01)
- Re: Repost: Syslog, but I don't want it Fyodor (Jun 02)
- {off-topic} Who goes 2 Defcon9 Cedric (Jun 02)
- Re: {off-topic} Who goes 2 Defcon9 Fyodor (Jun 02)
- RE: {off-topic} Who goes 2 Defcon9 Ofir Arkin (Jun 02)
- Re: {off-topic} Who goes 2 Defcon9 Martin Roesch (Jun 03)
- RE: Repost: Syslog, but I don't want it Neil Dickey (Jun 01)
- RE: Repost: Syslog, but I don't want it Marc Thompson (Jun 01)
- RE: Repost: Syslog, but I don't want it Neil Dickey (Jun 01)
- RE: Repost: Syslog, but I don't want it Marc Thompson (Jun 03)