Snort mailing list archives

Previous By Date Next
Previous By Thread Next

snort 1.8.6 + OpenBSD 3.2-stable

From: Darren <darren () dazdaz org>
Date: Sun, 8 Dec 2002 17:40:37 +0000

Hello snort-users,

After spending all afternoon on this, I need some tips.

I am using OpenBSD 3.2-stable and snort 1.8.6 compiles from ports.

I can't get snort to write csv output.  Is this a known issue or
am I doing something wrong?

/etc/snort.conf

output alert_syslog: LOG_AUTH LOG_ALERT
output csv: /var/log/snort/snort.log msg,proto,timestamp,src,srcport,dst,dstport

-bash-2.05b$ ls -ld /var/log/snort
drwxr-xr-x  2 snort  snort  512 Dec  8 17:31 /var/log/snort
-bash-2.05b$ ls -l /var/log/snort/snort.log
-rw-r--r--  1 snort  snort  0 Dec  8 17:31 /var/log/snort/snort.log

I have to launch snort like this so it writes into /var/log/snort/
# snort -v -u snort -g snort -l /var/log/snort -D

-bash-2.05b$ ps auxw | grep snort
snort    21995 31.8  0.0   664   644 ??  Ss     5:38PM    0:14.62 snort -v -u snort -g snort -l /var/log/snort -D

Interestingly without the -l option it won't write there, but this
is less important.

I'd like syslog and csv output.

Snort was build like this
# cd /usr/ports/net/snort
# make install

-bash-2.05b$ grep LOG_AUTH /usr/include/syslog.h
#define LOG_AUTH        (4<<3)  /* security/authorization messages */
#define LOG_AUTHPRIV    (10<<3) /* security/authorization messages (private) */
        { "auth",       LOG_AUTH },
        { "authpriv",   LOG_AUTHPRIV },
        { "security",   LOG_AUTH },             /* DEPRECATED */
-bash-2.05b$ grep LOG_ALERT /usr/include/syslog.h    
#define LOG_ALERT       1       /* action must be taken immediately */
        { "alert",      LOG_ALERT },

-bash-2.05b$ snort -V

-*> Snort! <*-
Version 1.8.6 (Build 105)
By Martin Roesch (roesch () sourcefire com, www.snort.org)
        
-- 
Best regards,
 Darren                          mailto:darren () dazdaz org




-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: