[Snort-users] new to snort
neil at ...1633...
Sat Mar 31 11:37:23 EST 2001
>Thanks Neil for your help.
>What I have now in my rc.local start up file is:
>/usr/local/bin/snort -p -D -s -u daemon -g daemon -c snort.conf
Just for comparison, here's what I do:
snort -dD -h $HOME_NET/24 -l $LOGPATH -c $RULESPATH/$RULESNAME -o
I'm running under Solaris, so what I do may need to be different
from your setup. What OS are you using?
I have to use promiscuous mode because I'm watching over a network
of approximately 60 machines running mixed operating systems. I
need to see what's happening to them as well.
>That does what I want it to do - starts snort as a daemon without putting eth0 into promisc
>mode. I tested it with a couple of nmaps and flood pings from other hosts and got what I had
>hoped.. lots of log entries in /var/log/snort.
/var/log/snort is the default logfile.
>The -s option sends alerts to the syslog daemon, yes? This should mean that alerts turn up in
True "on many other [ .viz non-Linux ] boxes" according to the manual page.
Apparently this is not so in your case, because ...
>They aren't. I realise that I probably have to add something to the
>syslog.conf file, but not sure what. Can anyone tell me what I need to add?
A simpler option, and the one I prefer, is to use the "-l" option instead
of "-s" when starting Snort to specify the log location. Snort logs can
get really big sometimes, and I like to keep them separate from my other
system logs to avoid potential trouble -- like packed filesystems and a
crashed syslogd. Hard experience: I used to put my Snort logs in a
filesystem that had 160 megs of free space, conveniently located with
syslog output. Then one night someone got interested in us, and filled it
all up. Oops. Time to re-think.
Neil Dickey, Ph.D.
Northern Illinois University
More information about the Snort-users