[Snort-users] new to snort

Neil Dickey neil at ...1633...
Sat Mar 31 11:37:23 EST 2001


Dear Fiona,

>Thanks Neil for your help.

You're welcome.

>What I have now in my rc.local start up file is:
>cd /usr/local/snort-1.7
>/usr/local/bin/snort -p -D -s -u daemon -g daemon -c snort.conf

Just for comparison, here's what I do:

  snort -dD -h $HOME_NET/24 -l $LOGPATH -c $RULESPATH/$RULESNAME -o

I'm running under Solaris, so what I do may need to be different
from your setup.  What OS are you using?

I have to use promiscuous mode because I'm watching over a network
of approximately 60 machines running mixed operating systems.  I
need to see what's happening to them as well.

>That does what I want it to do - starts snort as a daemon without putting eth0 into promisc 
>mode. I tested it with a couple of nmaps and flood pings from other hosts and got what I had 
>hoped.. lots of log entries in /var/log/snort.

/var/log/snort is the default logfile.

>The -s option sends alerts to the syslog daemon, yes? This should mean that alerts turn up in 
>/var/log/messages?

True "on many other [ .viz non-Linux ] boxes" according to the manual page.
Apparently this is not so in your case, because ...

>They aren't. I realise that I probably have to add something to the 
>syslog.conf file, but not sure what. Can anyone tell me what I need to add?

A simpler option, and the one I prefer, is to use the "-l" option instead
of "-s" when starting Snort to specify the log location.  Snort logs can
get really big sometimes, and I like to keep them separate from my other
system logs to avoid potential trouble -- like packed filesystems and a
crashed syslogd.  Hard experience:  I used to put my Snort logs in a
filesystem that had 160 megs of free space, conveniently located with
syslog output.  Then one night someone got interested in us, and filled it
all up.  Oops.  Time to re-think.

Best regards,

Neil Dickey, Ph.D.
Research Associate/Sysop
Geology Department
Northern Illinois University
DeKalb, Illinois
60115





More information about the Snort-users mailing list