Re: Sensitive Data Preprocessor: logging single matches

[Erik Johnson <ejohnson () vailsys com>]

On Tue, Mar 01, 2011 at 05:45:47PM -0500, Victor Roemer wrote:
> Ah, I missed that, sorry.
>
> Anyways, per my testing everything seems hunky-dory which leads me to
> believe that the issues you are currently experiencing are extraneous to the
> sensitive data preprocessor.

So, I found the problem. It was with my alert_syslog line:

I had

# syslog
output alert_syslog: LOG_ERR

According to the snort manual, alert_syslog should have the following
syntax:

alert_syslog: \
    <facility> <priority> <options>


After changing the alert_syslog line to the following, alerts are being
successfully logged.

# syslog
output alert_syslog: LOG_AUTH LOG_ERR



Now, another problem has arisen. Since enabling the sensitive data
preprocessor, I'm not getting anything logged to the tcpdump log. Here's
my log_tcpdump line:

# pcap
output log_tcpdump: tcpdump.log

I'm running snort as a daemon in CentOS, and the init script gets some
of its config options from /etc/sysconfig/snort, so I'll check both that
and the init script to see what's not working. Running ps shows no -r
option like you included in your manual snort run, so tcpdump logging is
definitely not being turned on.

--

Erik Johnson
System Administrator
Vail Systems
e: ejohnson () vailsys com
p: 866-254-7699

http://www.vailsys.com

Attachment: _bin
Description:

------------------------------------------------------------------------------
Colocation vs. Managed Hosting
A question and answer guide to determining the best fit
for your organization - today and in the future.
http://p.sf.net/sfu/internap-sfd2d

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users