Snort mailing list archives

Win32, output alert_syslog: host=xxxx broken?

From: JP Vossen <vossenjp () netaxs com>
Date: Thu, 1 May 2003 17:17:43 -0400 (EDT)

Per [0] and [1], "output alert_syslog: host=loghost:514, LOG_AUTH LOG_ALERT"
should work on Windows, yet in Version 2.0.0-ODBC-MySQL-WIN32 (Build 72) [2]
it does not seem to.

I've tried these, none work (NOT using -s on CLI):
        output alert_syslog: host=loghost, LOG_AUTH LOG_ALERT
        output alert_syslog: host=loghost:514, LOG_AUTH LOG_ALERT
        output alert_syslog: host=192.168.1.5, LOG_AUTH LOG_ALERT
        output alert_syslog: host=192.168.1.5:514, LOG_AUTH LOG_ALERT

Snort starts and runs fine with -T or -v, I get captures in the ./log dir as
expected, but no matter what, the events all end up in the Windows Event log,
NOT in my loghost's syslog.  Loghost is RedHat 8 and it's working as I am
getting syslog from other servers (in fact, I'm using BackLog on the Snort
Windows box, so I *do* get the Snort alerts-but from Backlog, not Snort. :-(
Unfortunately, that is not a possible solution as this config is for a
customer who must run Snort on Windows and send to a syslog device doing
filtering.  Adding Backlog to the mix will break the filters.

C:\Snort> egrep "output alert|alert icmp" c:\snort\etc\snort.conf
# output alert_syslog: host=10.120.2.61:514, LOG_AUTH LOG_ALERT
#output alert_syslog: host=192.168.1.5:514, LOG_AUTH LOG_ALERT
#output alert_syslog: host=192.168.1.5, LOG_AUTH LOG_ALERT
#output alert_syslog: host=loghost:514, LOG_AUTH LOG_ALERT
output alert_syslog: host=loghost, LOG_AUTH LOG_ALERT
alert icmp any any -> any any (msg: "HPT-Catch All ICMP";)

I'm running really simple (e.g. C:\Snort> bin\snort -c
c:\Snort\etc\snort.conf), and added the above temp rule to trigger alerts via
ping.  Everything works, except the alerts go to the wrong place.  I took a
peek at the source and it *looked* OK to me, but then I really don't know
squat about it.

Am I doing something dumb, or is it really broken?  If so, when might it be
fixed?

TIA,
JP


[0]
From: Chris Green <cmg () sourcefire com>
Date: Tue, 01 Apr 2003 14:34:49 -0500
Subject: [Snort-announce] Snort 2.0.0 RC2 Available!

Changes Since RC1
        syslog should work on win32 and unix


[1]
2003-03-27  Chris Reid  <chris.reid () codecraftconsultants com>

    Build 63

    * src/output-plugins/spo_alert_syslog.c
      Win32 '-s' now takes no arguments.  Host/port info is
      configured only within snort.conf (output alert_syslog).


[2]
http://www.snort.org/dl/binaries/win32/snort-2_0_0.exe


------------------------------|:::======|--------------------------------
JP Vossen, CISSP              |:::======|                jp () jpsdomain org
My Account, My Opinions       |=========|       http://www.jpsdomain.org/
------------------------------|=========|--------------------------------
"The software said it requires Windows 98 or better, so I installed
Linux..."



-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Win32, output alert_syslog: host=xxxx broken? JP Vossen (May 01)
- Re: Win32, output alert_syslog: host=xxxx broken? Rich Adamson (May 01)
  - Fixed: Win32, output alert_syslog: host=xxxx broken? JP Vossen (May 01)