Snort mailing list archives
Upgrade, 1.8.6->2.0.0rc5 - new version won't alert to syslog? (fwd)
From: Glenn Forbes Fleming Larratt <glratt () is rice edu>
Date: Fri, 18 Apr 2003 11:47:02 -0500 (CDT)
Thanks for the input, all. Summary: the combination "-A fast -s" will write alerts to syslog in a snort-1.8.6-on-Solaris-8 installation, but the two commandline arguments seem to conflict in a snort-2.0.0-on-Solaris-8 installation, yielding no alerts to syslog. I was able to get my desired result by striking both "-A fast" and "-s" from the command line in /etc/init.d/snort, and configuring # [Unix flavours should use this format...] # output alert_syslog: LOG_AUTH LOG_ALERT output alert_syslog: LOG_AUTH LOG_ALERT # into snort.conf . -g Glenn Forbes Fleming Larratt glratt () rice edu http://is.rice.edu/~glratt There are imaginary bugs to chase in heaven. ---------- Forwarded message ---------- Date: Thu, 17 Apr 2003 16:41:05 -0500 (CDT) From: Glenn Forbes Fleming Larratt <glratt () is rice edu> To: snort-users () lists sourceforge net Subject: Upgrade, 1.8.6->2.0.0rc5 - new version won't alert to syslog? ObFAQ: } Q: Snort is not logging to syslog } } A1: You are using a command line option that overrides what you have in your } configuration file. This is most often -A. } } A2: It may be logging to the wrong place. Make sure syslog is configured } correctly. Solaris 2.8 installation, runs snort 1.8.6 very happily - sample output in /var/adm/messages: } Apr 17 16:19:52 snorto.my.domain snort[5840]: [ID 702911 daemon.notice] Writing PID file to "/var/run/" } Apr 17 16:19:55 snorto.my.domain snort[5840]: [ID 702911 daemon.notice] Snort initialization completed successfully, Snort running } Apr 17 16:20:00 snorto.my.domain snort[5840]: [ID 702911 auth.alert] [1:1940000:1] UDP DNS traffic {UDP} 192.31.80.30:53 -> MY.NET.58.210:32775 , but when I point to the 2.0.0 installation, I get (a) much more daemon.notice traffic on initialization, but (b) *NO* alerts! } Apr 17 16:13:08 snorto.my.domain snort[5742]: [ID 702911 daemon.notice] telnet_decode arguments: } Apr 17 16:13:08 snorto.my.domain snort[5742]: [ID 702911 daemon.notice] Ports to decode telnet on: 21 23 25 119 } Apr 17 16:13:08 snorto.my.domain snort[5744]: [ID 702911 daemon.notice] telnet_decode arguments: } Apr 17 16:13:08 snorto.my.domain snort[5744]: [ID 702911 daemon.notice] Ports to decode telnet on: 21 23 25 119 } Apr 17 16:13:14 snorto.my.domain snort: [ID 702911 daemon.notice] Snort initialization completed successfully Command line with which I'm running snort (out of the same /etc/init.d/snort file for both versions): } /usr/site/snort/bin/snort -o -b -D -m 022 -A fast -i qfe1 -s -l /snort/qfe1 -c /usr/site/snort/rules/snort.conf > /dev/null 2>&1 I have tried: - changing the order of the command line arguments (particularly -s); - removing -s and configuring "output alert_syslog: LOG_AUTH LOG_ALERT" into snort.conf; to no avail. I have also tried running at the command line without the -D switch, in which case snort writes an "alert" file in /var/log/snort or /var/log/snort/{interface}. I'm convinced that snort is generating alerts, because of the results of a "kill -USR1": } Apr 17 16:13:27 snorto.rice.edu snort: [ID 702911 daemon.notice] Snort analyzed 18407 out of 18407 packets, } Apr 17 16:13:27 snorto.rice.edu snort: [ID 702911 daemon.notice] dropping 0(0.000%) packets } Apr 17 16:13:27 snorto.rice.edu snort: [ID 702911 daemon.notice] Breakdown by protocol: Action Stats: } Apr 17 16:13:27 snorto.rice.edu snort: [ID 702911 daemon.notice] TCP: 16905 (91.840%) ALERTS: 10 } Apr 17 16:13:27 snorto.rice.edu snort: [ID 702911 daemon.notice] UDP: 1401 (7.611%) LOGGED: 10 , but not syslogging them. Can anyone shed some light on this? Thanks, -g Glenn Forbes Fleming Larratt glratt () rice edu http://is.rice.edu/~glratt There are imaginary bugs to chase in heaven. ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Upgrade, 1.8.6->2.0.0rc5 - new version won't alert to syslog? (fwd) Glenn Forbes Fleming Larratt (Apr 18)