[Snort-devel] [patch] prefixing init messages to make logchecking easier

Christian Hammers ch at ...1765...
Mon Jan 6 16:25:04 EST 2003


Hello

Despite of "-q" snort writes several messages to syslog when starting
up. As it restarts every morning after rotating its logs I like to
filter those messages out (my watchdog tells me if snort died anyway).

So I would suggest you to prefix those lines to make it easier for the
admin.

Attached is a patch to begin with. Maybe it's not complete, though.

bye,

-christian-



-- 
Christian Hammers    WESTEND GmbH - Aachen und Dueren     Tel 0241/701333-0
ch at ...1765...     Internet & Security for Professionals    Fax 0241/911879
          WESTEND ist CISCO Systems Partner - Authorized Reseller
-------------- next part --------------
--- snort-1.9.0rel.orig/src/snort.c
+++ snort-1.9.0rel/src/snort.c
@@ -1628,7 +1628,7 @@
 
     if(pv.daemon_flag)
     {
-        LogMessage("Snort initialization completed successfully, Snort running");
+        LogMessage("init: Snort initialization completed successfully, Snort running");
     }
     bzero((char *) &tz, sizeof(tz));
     gettimeofday(&starttime, &tz);
--- snort-1.9.0rel.orig/src/preprocessors/spp_rpc_decode.c
+++ snort-1.9.0rel/src/preprocessors/spp_rpc_decode.c
@@ -139,7 +139,7 @@
     /* tokenize the argument list */
     toks = mSplit(portlist, " ", 31, &num_toks, '\\');
 
-    LogMessage("rpc_decode arguments:\n");
+    LogMessage("init: rpc_decode arguments:\n");
 
     /* convert the tokens and place them into the port list */
     for(num = 0; num < num_toks; num++)
@@ -187,7 +187,7 @@
     }
 
     /* print out final port list */
-    LogMessage("    Ports to decode RPC on: %s\n", portstr);
+    LogMessage("init:    Ports to decode RPC on: %s\n", portstr);
 }                                                                               
    
 
--- snort-1.9.0rel.orig/src/preprocessors/spp_telnet_negotiation.c
+++ snort-1.9.0rel/src/preprocessors/spp_telnet_negotiation.c
@@ -272,7 +272,7 @@
     /* tokenize the argument list */
     toks = mSplit(portlist, " ", 31, &num_toks, '\\');
 
-    LogMessage("telnet_decode arguments:\n");
+    LogMessage("init: telnet_decode arguments:\n");
 
     /* convert the tokens and place them into the port list */
     for(num = 0; num < num_toks; num++)
@@ -318,5 +318,5 @@
     }
     
     /* print out final port list */
-    LogMessage("    Ports to decode telnet on: %s\n", portstr);
+    LogMessage("init:    Ports to decode telnet on: %s\n", portstr);
 }
--- snort-1.9.0rel.orig/src/preprocessors/spp_conversation.c
+++ snort-1.9.0rel/src/preprocessors/spp_conversation.c
@@ -216,12 +216,12 @@
     AddFuncToPreprocList(ConvFunc);
 
 
-    LogMessage("Conversation Config:\n");
-    LogMessage("   KeepStats: %d\n", conv_data.keepstats);
-    LogMessage("   Conv Count: %d\n", conv_data.max_convs);
-    LogMessage("   Timeout   : %d\n", conv_data.timeout);
-    LogMessage("   Alert Odd?: %d\n", conv_data.alert_odd_protocols);
-    LogMessage("   Allowed IP Protocols: ");
+    LogMessage("init: Conversation Config:\n");
+    LogMessage("init:   KeepStats: %d\n", conv_data.keepstats);
+    LogMessage("init:   Conv Count: %d\n", conv_data.max_convs);
+    LogMessage("init:   Timeout   : %d\n", conv_data.timeout);
+    LogMessage("init:   Alert Odd?: %d\n", conv_data.alert_odd_protocols);
+    LogMessage("init:   Allowed IP Protocols: ");
     
 
     for(i=0;i<256;i++) 
--- snort-1.9.0rel.orig/src/preprocessors/spp_http_decode.c
+++ snort-1.9.0rel/src/preprocessors/spp_http_decode.c
@@ -242,7 +242,7 @@
     /* tokenize the argument list */
     toks = mSplit(portlist, " ", 31, &num_toks, '\\');
 
-    LogMessage("http_decode arguments:\n");
+    LogMessage("init: http_decode arguments:\n");
 
     /* convert the tokens and place them into the port list */
     for(num = 0; num < num_toks; num++)
@@ -250,45 +250,45 @@
         if(!strcasecmp(OPT_UNICODE, toks[num]))
         {
             check_iis_unicode = 1;
-	    LogMessage("    Unicode decoding\n");
+	    LogMessage("init:     Unicode decoding\n");
         }
         else if(!strcasecmp(OPT_ALTUNICODE, toks[num]))
         {
             check_alt_unicode = 1;
-	    LogMessage("    IIS alternate Unicode decoding\n");
+	    LogMessage("init:     IIS alternate Unicode decoding\n");
         }
         else if(!strcasecmp(OPT_DOUBLE_ENC, toks[num]))
         {
             check_double_encode = 1;
-	    LogMessage("    IIS double encoding vuln\n");
+	    LogMessage("init:     IIS double encoding vuln\n");
         }
         else if(!strcasecmp(OPT_INVALIDHEX, toks[num]))
         {
             abort_invalid_hex = 1;
-	    LogMessage("    Stop on invalid hex encoding\n");
+	    LogMessage("init:     Stop on invalid hex encoding\n");
         }
         else if(!strcasecmp(OPT_URL_PARAM, toks[num]))
         {
             end_on_url_param = 1;
-	    LogMessage("    Stop on URL parameter\n");
+	    LogMessage("init:     Stop on URL parameter\n");
         }
         else if(!strcasecmp(OPT_FLIP_SLASH, toks[num]))
         {
-	    LogMessage("    Flip backslash to slash\n");
+	    LogMessage("init:     Flip backslash to slash\n");
             iis_flip_slash = 1;
         }
         else if(!strcasecmp(OPT_WHITESPACE, toks[num]))
         {
 	    lookup_whitespace[9]=1;  /* TAB  */
 	    lookup_whitespace[13]=1; /* '\r' */
-	    LogMessage("    Include additional whitespace separators\n");
+	    LogMessage("init:     Include additional whitespace separators\n");
         }
         else if(!strcasecmp(PROFILE_APACHE, toks[num]))
         {
 	    /*	    abort_invalid_hex = 1;  */
 	    lookup_whitespace[9]=1;  /* TAB  */
 	    lookup_whitespace[13]=1; /* '\r' */
-	    LogMessage("    Apache profile\n");
+	    LogMessage("init:     Apache profile\n");
         }
         else if(!strcasecmp(PROFILE_IIS, toks[num]))
         {
@@ -296,12 +296,12 @@
 	    check_alt_unicode = 1;
 	    check_double_encode = 1;
 	    iis_flip_slash = 1;
-	    LogMessage("    IIS profile\n");
+	    LogMessage("init:     IIS profile\n");
         }
         else if(!strcasecmp(OPT_INTENAL_ALERTS, toks[num]))
         {
             internal_alerts = 1;
-	    LogMessage("    Internal Alerts enabled\n");
+	    LogMessage("init:     Internal Alerts enabled\n");
         }
         else if(isdigit((int)toks[num][0]))
         {
@@ -345,7 +345,7 @@
     }
 
     /* print out final port list */
-    LogMessage("    Ports to decode http on: %s\n", portstr);
+    LogMessage("init:    Ports to decode http on: %s\n", portstr);
 }
 
 
--- snort-1.9.0rel.orig/src/preprocessors/spp_portscan2.c
+++ snort-1.9.0rel/src/preprocessors/spp_portscan2.c
@@ -330,12 +330,12 @@
             }
         }
     }           
-    LogMessage ("    %s: %s\n", OPT_LOG, logpath);
-    LogMessage ("    %s: %d\n", OPT_MAX_SCANNER, ps2data.scanner_count);
-    LogMessage ("    %s: %d\n", OPT_TARGET_COUNT, ps2data.target_count);
-    LogMessage ("    %s: %d\n", OPT_TGT_LIMIT, ps2data.tgtThreshold);
-    LogMessage ("    %s: %d\n", OPT_PORT_LIMIT, ps2data.portThreshold);
-    LogMessage ("    %s: %d\n", OPT_TIMEOUT, ps2data.timeout);
+    LogMessage ("init:    %s: %s\n", OPT_LOG, logpath);
+    LogMessage ("init:    %s: %d\n", OPT_MAX_SCANNER, ps2data.scanner_count);
+    LogMessage ("init:    %s: %d\n", OPT_TARGET_COUNT, ps2data.target_count);
+    LogMessage ("init:    %s: %d\n", OPT_TGT_LIMIT, ps2data.tgtThreshold);
+    LogMessage ("init:    %s: %d\n", OPT_PORT_LIMIT, ps2data.portThreshold);
+    LogMessage ("init:    %s: %d\n", OPT_TIMEOUT, ps2data.timeout);
 
 
     ps2data.logfile = fopen(logpath, "a+");
@@ -1035,7 +1035,7 @@
                    " trying to activate spp_portscan2\n");
     }   
 
-    LogMessage ("Portscan2 config:\n");
+    LogMessage ("init: Portscan2 config:\n");
     ParseScanmungeArgs(args);
     gettimeofday(&tv, &tz);
 
--- snort-1.9.0rel.orig/src/util.c
+++ snort-1.9.0rel/src/util.c
@@ -671,7 +671,7 @@
         }
         else
         {
-            LogMessage("PID path stat checked out ok, PID path set to %s\n", _PATH_VARRUN);
+            LogMessage("init: PID path stat checked out ok, PID path set to %s\n", _PATH_VARRUN);
             strlcpy(pv.pid_path, _PATH_VARRUN, STD_BUF);
         }
     }
@@ -693,7 +693,7 @@
     {
         int pid = (int) getpid();
 
-        LogMessage("Writing PID \"%d\" to file \"%s\"\n", pid, pv.pid_filename);
+        LogMessage("init: Writing PID \"%d\" to file \"%s\"\n", pid, pv.pid_filename);
         fprintf(pid_file, "%d\n", pid);
         fclose(pid_file);
     }
@@ -1120,7 +1120,7 @@
 #ifndef WIN32
     pid_t fs;
 
-    LogMessage("Initializing daemon mode\n");
+    LogMessage("init: Initializing daemon mode\n");
 
     if(getppid() != 1)
     {


More information about the Snort-devel mailing list