[Snort-users] Repost: Syslog, but I don't want it

Marc Thompson Marc.Thompson at ...2101...
Sun Jun 3 21:56:49 EDT 2001


As requested, my snort config without comment lines.  I earlier
hypothesized that the lack of the '-l' command-line argument
to snort caused it to log to syslog by default.  My hypothesis
turned out to be wrong, though.  

So, I'm still having the problem.

My current snort command line is:
	snort -c /etc/snort/snort.conf -i eth1 -Dd -l /var/log/snort

Thank you,
Marc Thompson

** Snort conf file.  Only thing different is that I've
obfuscated the IP addresses.

var HOME_NET xxx.xxx.xxx.xxx/xxx
var EXTERNAL_NET any
preprocessor defrag
preprocessor http_decode: 80 8080
preprocessor portscan: $HOME_NET 4 3 portscan.log
output log_tcpdump: tcpdump.out 
output database: log, mysql, user=snort password=xxxx dbname=snort host=xxxx
sensor_name=nids encoding=hex
include /etc/snort/webcgi-lib
include /etc/snort/webcf-lib
include /etc/snort/webiis-lib
include /etc/snort/webfp-lib
include /etc/snort/webmisc-lib
include /etc/snort/overflow-lib
include /etc/snort/finger-lib
include /etc/snort/ftp-lib
include /etc/snort/smtp-lib
include /etc/snort/telnet-lib
include /etc/snort/misc-lib
include /etc/snort/netbios-lib
include /etc/snort/scan-lib
include /etc/snort/ddos-lib
include /etc/snort/backdoor-lib
#include /etc/snort/ping-lib
include /etc/snort/rpc-lib
include /etc/snort/virus-lib

*******************************************
Marc Thompson
IT Site Manager
BOPS, Inc.
7800 Shoal Creek Blvd. Suite 200N
Austin, TX 78757
Direct: (512)407-1103
Fax:  (512)346-8407

This message is for the sole use of the intended recipient(s) and may
contain
confidential and privileged information.  Any unauthorized review, use,
disclosure, or distribution is prohibited.  If you are not the intended
recipient, 
please contact the sender and destroy all copies of the original message.


-----Original Message-----
From: Fyodor [mailto:fygrave at ...121...]
Sent: Saturday, June 02, 2001 5:03 AM
To: Marc Thompson
Cc: 'snort-users at lists.sourceforge.net'; 'joey at ...155...'
Subject: Re: [Snort-users] Repost: Syslog, but I don't want it


On Fri, Jun 01, 2001 at 10:10:10AM -0500, Marc Thompson wrote:
> Joe,
> 
> You recommended that I run snort without the -D (Daemon-mode)
> option.  I tried this, ran nmap, alerts fired but weren't sent
> to syslog.  This is the behavior that I want, so your idea worked.
> 
> So, it seems that running snort in Daemon mode enables syslog
> logging via the LOCAL facility.  I imagine that this is by design.
> 

By design only errors and warnings are logged via syslog if it's running
in daemon mode.

> What do you recommend I try next? Bug report?  Enhancement Request?
> 

Well, if you chould show us relevant snippets of the configuration file,
so we could reproduce 'the bug', it would be helpful indeed. :)





More information about the Snort-users mailing list