[Snort-users] Bug in -s handling?!

Martin Roesch roesch at ...1...
Sun Jul 23 23:45:14 EDT 2000


Oops, another little one got by.  Is your syslog.conf configured to put
LOG_AUTH into auth.log?  Simple question, but it has to be asked.  On some
OS's, it can also end up in /var/log/messages or /var/log/security.

Here's the diff to get rid of that error message (which doesn't need to be
there any more):

--- ../snort-1.6.3/rules.c      Thu Jul 13 20:02:05 2000
+++ rules.c     Sun Jul 23 23:38:25 2000
@@ -982,39 +982,25 @@
             switch (pl_idx->entry.node_type)
             {
                 case NT_OUTPUT_ALERT:
-                    if (!pv.alert_cmd_override)
+                    if (AlertFunc == NULL)
                     {
-                        if (AlertFunc == NULL)
-                        {
-                            AlertFunc = CallAlertPlugins;
-                        }
-
-                        /* call the configuration function for the plugin */
-                        pl_idx->entry.func(pp_args);
-                    }
-                    else
-                    {
-                        ErrorMessage("WARNING: command line overrides rules
file alert plugin!\n");
+                        AlertFunc = CallAlertPlugins;
                     }
 
+                    /* call the configuration function for the plugin */
+                    pl_idx->entry.func(pp_args);
+
                     break;
 
                 case NT_OUTPUT_LOG:
-                    if (!pv.log_cmd_override)
-                    {
-                        if (LogFunc == NULL)
-                        {
-                            LogFunc = CallLogPlugins;
-                        }
-
-                        /* call the configuration function for the plugin */
-                        pl_idx->entry.func(pp_args);
-                    }
-                    else
+                    if (LogFunc == NULL)
                     {
-                        ErrorMessage("WARNING: command line overrides rules
file logging plugin!\n");
+                        LogFunc = CallLogPlugins;
                     }
 
+                    /* call the configuration function for the plugin */
+                    pl_idx->entry.func(pp_args);
+                    
                     break;
             }



Christian Hammers wrote:
> 
> Hello list
> 
> When supplying "-s" it say:
>         WARNING: command line overrides rules file alert plugin!
> When not using it, there comes nothing in my /var/log/auth.log although
> I have the following in the snort-lib:
>         output alert_syslog: LOG_AUTH LOG_ALERT LOG_DEBUG
> and snort says:
>         ...
>         Initializing Plug-ins!
>         Initializating Output Plugins!
>         Output plugin: Alert-Syslog is setup...
> 
>         +++++++++++++++++++++++++++++++++++++++++++++++++++
>         Initializing rule chains...
>         WARNING: command line overrides rules file alert plugin!
>         Args: snort.log<>
>         683 Snort rules read...
>         ...
> 
> So why do I still have to give "-s" ?
> 
> bye,
> 
>  -christian-
> 
> --
>        Be careful, you can be replaced by this computer.
> ---------------------------------------------------------------------------
> Linux - the choice of the GNU generation.           Join the Debian Project
>                                                       http://www.debian.org
> Christian Hammers * Oberer Heidweg 35 * D-52477 Alsdorf * Tel.: 02404-25624
> 0AA3 E879 1D82 F59E 77A4 0096 911F 4AE6 86A1 18E6 1024D/86A118E6 1999-09-17
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> http://lists.sourceforge.net/mailman/listinfo/snort-users

-- 
Martin Roesch                      <roesch at ...2...>
Core R&D                         http://www.hiverworld.com
Hiverworld, Inc.       Continuous Adaptive Risk Management




More information about the Snort-users mailing list