[Snort-users] Repost: Syslog, but I don't want it

Marc Thompson Marc.Thompson at ...2101...
Fri Jun 1 11:10:10 EDT 2001


Joe,

You recommended that I run snort without the -D (Daemon-mode)
option.  I tried this, ran nmap, alerts fired but weren't sent
to syslog.  This is the behavior that I want, so your idea worked.

So, it seems that running snort in Daemon mode enables syslog
logging via the LOCAL facility.  I imagine that this is by design.

What do you recommend I try next? Bug report?  Enhancement Request?

One other possibility is configuring syslog to ignore messages coming
from Snort.  I don't know how to do that off the top of my head, but
if you think that may be the way to go I can give it a try.

Finally, I heard Marty Roesch speak at SANS in Baltimore last month,
maybe I could send him a direct question...

Thank you,
Marc Thompson

*******************************************
Marc Thompson
IT Site Manager
BOPS, Inc.
7800 Shoal Creek Blvd. Suite 200N
Austin, TX 78757
Direct: (512)407-1103
Fax:  (512)346-8407

This message is for the sole use of the intended recipient(s) and may
contain
confidential and privileged information.  Any unauthorized review, use,
disclosure, or distribution is prohibited.  If you are not the intended
recipient, 
please contact the sender and destroy all copies of the original message.


-----Original Message-----
From: Joe McAlerney [mailto:joey at ...47...]
Sent: Thursday, May 31, 2001 4:45 PM
To: Marc Thompson
Cc: 'snort-users at lists.sourceforge.net'
Subject: Re: [Snort-users] Repost: Syslog, but I don't want it


Well, nothing really comes to mind, but these are the steps I would
take.

1) Check to see if another snort process is running in the background. 
Perhaps it is using -s.
2) Double and Triple check that "output alert_syslog" is not being used
in your configuration file or any files included in your configuration
file.  Grep for "syslog".
3) Try running snort without -D.  Same results?
4) Use a test config file with one rule in it:

	alert icmp any any -> any any (msg:"Test ICMP rule";)

   Ping some machines on your network.  Are the being sent to syslog?

5) Could there be output plugins in your original configuration file
that are somehow indirectly linked to syslog on your system?  It's a
long shot, but if the facilities they use are somehow communicating to
syslog as well, that could be the issue.

Any other ideas?

-Joe M.

-- 
|   Joe McAlerney     joey at ...155...   |
| Silicon Defense - Technical Support for Snort |
|       http://www.silicondefense.com/          |
+--                                           --+

Marc Thompson wrote:
> 
> This is a Repost.  Basically, snort is logging to syslog and I
> don't know how to prevent it.
> 
> ***Original Message***
> 
> I'm having a problem with Snort Version 1.7 on RedHat 7.1.  I am
> getting messages sent to syslog, but don't want them there.  Here
> is the command-line that I'm using to start Snort:
> 
>         snort -c /etc/snort/snort.10.3.1.0.conf -i eth0 -D
> 
> The referenced snort.10.3.1.0.conf has no reference to syslog in it
> that is uncommented.  I didn't specifically compile (knowingly)
> to use syslog.  I can't find a line in the configuration of the source
> that indicates syslog should or shouldn't be used.
> 
> Otherwise, snort is working great.  It logs in binary in tcpdump format
> nicely and also logs to a remote MySQL Server
> 
> Thank you in advance,
> Marc Thompson
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users




More information about the Snort-users mailing list