Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Upgrade, 1.8.6->2.0.0rc5 - new version won't alert to syslog?

From: Glenn Forbes Fleming Larratt <glratt () is rice edu>
Date: Thu, 17 Apr 2003 16:41:05 -0500 (CDT)
ObFAQ:
} Q: Snort is not logging to syslog
}
} A1: You are using a command line option that overrides what you have in your
}     configuration file.  This is most often -A.
}
} A2: It may be logging to the wrong place.  Make sure syslog is configured
}     correctly.

Solaris 2.8 installation, runs snort 1.8.6 very happily - sample output
in /var/adm/messages:

} Apr 17 16:19:52 snorto.my.domain snort[5840]: [ID 702911 daemon.notice] Writing PID file to "/var/run/"
} Apr 17 16:19:55 snorto.my.domain snort[5840]: [ID 702911 daemon.notice] Snort initialization completed successfully, 
Snort running
} Apr 17 16:20:00 snorto.my.domain snort[5840]: [ID 702911 auth.alert] [1:1940000:1] UDP DNS traffic {UDP} 
192.31.80.30:53 -> MY.NET.58.210:32775

, but when I point to the 2.0.0 installation, I get (a) much more daemon.notice
traffic on initialization, but (b) *NO* alerts!

} Apr 17 16:13:08 snorto.my.domain snort[5742]: [ID 702911 daemon.notice] telnet_decode arguments:
} Apr 17 16:13:08 snorto.my.domain snort[5742]: [ID 702911 daemon.notice]     Ports to decode telnet on: 21 23 25 119
} Apr 17 16:13:08 snorto.my.domain snort[5744]: [ID 702911 daemon.notice] telnet_decode arguments:
} Apr 17 16:13:08 snorto.my.domain snort[5744]: [ID 702911 daemon.notice]     Ports to decode telnet on: 21 23 25 119
} Apr 17 16:13:14 snorto.my.domain snort: [ID 702911 daemon.notice] Snort initialization completed successfully

Command line with which I'm running snort (out of the same /etc/init.d/snort
file for both versions):

} /usr/site/snort/bin/snort -o -b -D -m 022 -A fast -i qfe1 -s -l /snort/qfe1 -c /usr/site/snort/rules/snort.conf > 
/dev/null 2>&1

I have tried:

- changing the order of the command line arguments (particularly -s);
- removing -s and configuring "output alert_syslog: LOG_AUTH LOG_ALERT"
   into snort.conf;

to no avail. I have also tried running at the command line without the
-D switch, in which case snort writes an "alert" file in /var/log/snort or
/var/log/snort/{interface}.

I'm convinced that snort is generating alerts, because of the results
of a "kill -USR1":

} Apr 17 16:13:27 snorto.rice.edu snort: [ID 702911 daemon.notice] Snort analyzed 18407 out of 18407 packets,
} Apr 17 16:13:27 snorto.rice.edu snort: [ID 702911 daemon.notice] dropping 0(0.000%) packets
} Apr 17 16:13:27 snorto.rice.edu snort: [ID 702911 daemon.notice] Breakdown by protocol:                Action Stats:
} Apr 17 16:13:27 snorto.rice.edu snort: [ID 702911 daemon.notice]     TCP: 16905      (91.840%)         ALERTS: 10
} Apr 17 16:13:27 snorto.rice.edu snort: [ID 702911 daemon.notice]     UDP: 1401       (7.611%)          LOGGED: 10

, but not syslogging them.

Can anyone shed some light on this?

Thanks,

        -g


Glenn Forbes Fleming Larratt          glratt () rice edu
http://is.rice.edu/~glratt

There are imaginary bugs to chase in heaven.



-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: