[Snort-devel] alert_syslog enhancement suggestion

Bill Guyton guyton at ...2389...
Tue Jan 18 07:32:08 EST 2005


Forgive me if this has already been suggested.

In working with the alert_syslog output plugin, I've found that it would
be nice to be able to alter the "ident" string passed to openlog, so that
I could change the syslog output from something like:


Jan 14 00:19:34 svr-14 snort: [1:408:5] ICMP Echo Reply [Classification: Misc activity] [Priority: 3]: {ICMP} ip.ip.ip.ip -> ip.ip.ip.ip

to:

Jan 14 00:19:34 svr-14 snort-WAN: [1:408:5] ICMP Echo Reply [Classification: Misc activity] [Priority: 3]: {ICMP} ip.ip.ip.ip -> ip.ip.ip.ip


This is helpful when running more than one instance of snort on a machine.
I do know of the -I option to print the receiving interface name in alerts,
but in the situation of 100+ snort instances, it can be easier to recognize
a name than an interface.

I've attached two diff files based on the current cvs tree, should you
all think this might be a worthwhile addition...

-Bill








-------------- next part --------------
--- src/output-plugins/spo_alert_syslog.c	2003-12-03 09:22:22.000000000 -0600
+++ src/output-plugins/spo_alert_syslog.c.new	2005-01-13 17:49:15.000000000 -0600
@@ -15,7 +15,7 @@
 ** along with this program; if not, write to the Free Software
 ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
 */
-/* $Id: spo_alert_syslog.c,v 1.38 2003/12/03 15:22:22 chris_reid Exp $ */
+/* $Id$ */
 
 /* spo_alert_syslog 
  * 
@@ -72,8 +72,11 @@
     int facility;
     int priority;
     int options;
+    char *ident;
 } SyslogData;
 
+#define IDENT_SIZE_MAX 128
+
 void AlertSyslogInit(u_char *);
 SyslogData *ParseSyslogArgs(char *);
 void AlertSyslog(Packet *, char *, void *, Event *);
@@ -124,7 +127,7 @@
     /* parse the argument list from the rules file */
     data = ParseSyslogArgs(args);
 
-    openlog("snort", data->options, data->facility);
+    openlog(data->ident, data->options, data->facility);
 
     DEBUG_WRAP(DebugMessage(DEBUG_INIT,"Linking syslog alert function to call list...\n"););
 
@@ -172,6 +175,7 @@
     data->options = 0;
     data->facility = LOG_AUTH;
     data->priority = LOG_INFO;
+    data->ident = "snort";
 
     if(args == NULL)
     {
@@ -292,6 +296,11 @@
 
         /* possible openlog options */
 
+	if (!strncasecmp("ident=", tmp, 6))
+	{
+	    data->ident = strndup(&tmp[6], IDENT_SIZE_MAX);
+	}
+	else
 #ifdef LOG_CONS 
         if(!strcasecmp("LOG_CONS", tmp))
         {
-------------- next part --------------
--- doc/snort_manual.tex	2004-12-15 09:26:02.000000000 -0600
+++ doc/snort_manual.tex.new	2005-01-13 18:02:16.000000000 -0600
@@ -2244,8 +2244,9 @@
 
 this module sends alerts to the syslog facility (much like the -s
 command line switch). this module also allows the user to specify
-the logging facility and priority within the snort rules file, giving
-users greater flexibility in logging alerts.
+the logging facility and priority as well as the openlog identity string
+within the snort rules file, giving users greater flexibility in logging
+alerts.
 
 \subsubsection{available keywords }
 
@@ -2287,6 +2288,7 @@
 \item log\_ndelay 
 \item log\_perror
 \item log\_pid
+\item ident=label
 \end{itemize}
 
 \subsubsection{format}


More information about the Snort-devel mailing list