[Snort-devel] Call for Bugs

Rich Adamson radamson at ...442...
Fri Jul 6 11:09:21 EDT 2001


> Monday.  If you know of anything that's broken or not working as
> expected, please send a short email describing the problem and we'll try
> to get it fixed ASAP.
> 

Marty,

The option to specify a syslog "Facility" and "Priority" in the rules does
not work with remote syslogging: 
  "output alert_syslog: LOG_AUTH LOG_ALERT"

If I use "-s 1.2.3.4" on startup, changing the above statement to anything
reasonable prior to the startup has no impact. (This has been traced and
analyzed with a Sniffer, observing the syslog packets on the wire.)

The only way that I've found to accomplish this is to change source
in log.c at multiple locations and re-compile. For example...
    {
     /* ICMP packets don't get port info... */
     /*    syslog(LOG_AUTHPRIV | LOG_ALERT, "%s: %s -> %s", msg,  */
           syslog(LOG_LOCAL3 | LOG_WARNING, "%s: %s -> %s", msg, 
                sip, dip);
    } 

Also, the "LOG_AUTHPRIV" value is defined with a non-standard value (10)
which causes some syslog daemons to choke. ("LOG_FTP" is also non-standard
as 11, and "LOG_CRON" value should be 15 not 9. All are defined in syslog.h)
Historically, valid Facility values are 0-8 and 15-23, while valid Priority 
values are 0-7.

I've been using a very nice Windows-based syslog app that has some nice
context-sensitive, threshold, paging-notification features for immediate
personalized alerts. Trying to manage syslog messages from multiple devices 
without the ability to specify Facility and Priority values from each
device is difficult at best.

It would be very nice if some Rule-specific value mapped to a syslog Priority
value, so the security admin person could specify different notification
processes depending upon the seriousness of the intrusion. But, that's 
probably asking too much for now.

If I were a stronger c programmer, I'd offer up the corrections. However,
I can barely read/understand the language therefore I don't think you'd
want me to try that. It appears to me (although I might be wrong) the log.c
and syslog.c source makes no attempt to use/read the values defined in the 
"output alert_syslog:" statement at all. That also seems to be the same
opinions expressed by several postings by others over the last few months.

Rich





More information about the Snort-devel mailing list