[Snort-users] Repost: Syslog, but I don't want it

Marc Thompson Marc.Thompson at ...2101...
Fri Jun 1 12:27:48 EDT 2001


Neil,

You showed me your snort startup line:

	snort -dD -h 111.222.333.444/24 -l $LOGPATH -c $RULESPATH/$RULESNAME
-o

In my snort configuration file, I was setting tcpdump logging, so hadn't
set the -l $LOGPATH option.  I added the -l $LOGPATH argument on the command
line and it seems to have prevented syslog logging, which is what I want.
Also, it hasn't affected the tcpdump output, which I need.  All is well.

So, looks to me that if you start snort without the -l option, it will 
assume that alerts need to be sent to the syslog facility.  With the -l
option, it sends alerts to the logging dir specified and *not* syslog.

Thanks to everyone who provided me with insights and solutions on
this issue.  I think that the action of the -l option is probably by
design and ensures that alerts get sent somewhere in the event that
-l is not used.

So, this issue is resolved for me and it took less than 24 hours.  If I got
that quality of support from commercial vendors I wouldn't have to use
open/free software :-)

-Marc Thompson

*******************************************
Marc Thompson
IT Site Manager
BOPS, Inc.
7800 Shoal Creek Blvd. Suite 200N
Austin, TX 78757
Direct: (512)407-1103
Fax:  (512)346-8407

This message is for the sole use of the intended recipient(s) and may
contain
confidential and privileged information.  Any unauthorized review, use,
disclosure, or distribution is prohibited.  If you are not the intended
recipient, 
please contact the sender and destroy all copies of the original message.


-----Original Message-----
From: Neil Dickey [mailto:neil at ...1633...]
Sent: Friday, June 01, 2001 10:24 AM
To: snort-users at lists.sourceforge.net
Subject: RE: [Snort-users] Repost: Syslog, but I don't want it



Marc Thompson <Marc.Thompson at ...2101...> wrote:

>You recommended that I run snort without the -D (Daemon-mode)
>option.  I tried this, ran nmap, alerts fired but weren't sent
>to syslog.  This is the behavior that I want, so your idea worked.
>
>So, it seems that running snort in Daemon mode enables syslog
>logging via the LOCAL facility.  I imagine that this is by design.

For what it's worth, here's the command line in the script I use
to start Snort1.7 on my system ( Solaris2.7 ):

  snort -dD -h 111.222.333.444/24 -l $LOGPATH -c $RULESPATH/$RULESNAME -o

I think my variables make enough sense that you don't need me to
translate them.  ;-)  This arrangement works fine, in daemon mode,
and *without* logging to syslog.

Perhaps there is a problem with the RedHat implementation of Snort,
but it doesn't exist under Solaris.

Best regards,

Neil Dickey, Ph.D.
Research Associate/Sysop
Geology Department
Northern Illinois University
DeKalb, Illinois
60115

_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users




More information about the Snort-users mailing list