[Snort-users] snort 1.9 + OpenBSD 3.2-stable

Darren darren at ...7695...
Mon Dec 9 11:01:09 EST 2002


Hello Twig,

Monday, December 9, 2002, 6:48:59 PM, you wrote:

Everything is owned by snort and group snort

$ sudo find /var/log/snort/ ! -user snort -or ! -group snort
$

Rubbish, this is not it, i'll explain why in personal email so as not
to confuse the list.

Regards,
Darren

tl> Maybe chown -R?  That's what I use on my
tl> /var/log/snort.  I prolly should have said that the
tl> first time....

tl> BTW, why are you using sudo?  Snort can drop
tl> privileges natively.  Have you tried cutting sudo out
tl> and seeing if it works?  Not to say sudo breaks it,
tl> but it may require an added config option somewhere
tl> (never sudo'd snort).

tl> --- Darren <darren at ...7695...> wrote:
>> 
>> Hello Twig,
>> 
>> Yep.
>> 
>> $ ls -ld /var/log/snort
>> drwxr-xr-x  34 snort  snort  1024 Dec  9 18:32
>> /var/log/snort
>> 
>> $ grep snort /etc/group
>> snort:*:75:
>> $ grep snort /etc/passwd
>> snort:*:75:75::/home/snort:/sbin/nologin
>> 
>> $ ls -l /var/log/alert.csv
>> -rw-r--r--  1 snort  snort  0 Dec  9 15:14
>> /var/log/alert.csv
>> 
>> Darren
>> 
>> Monday, December 9, 2002, 6:07:21 PM, you wrote:
>> 
>> tl> Did you chown snort:snort /var/log/snort?
>> 
>> tl> --- Darren <darren at ...7695...> wrote:
>> >> 
>> >> Hello larc,
>> >> 
>> >> I upgraded to snort 1.9 and still adding the
>> >> following 2 lines.
>> >> 
>> >> I used ./configure with no options.
>> >> 
>> >> /etc/snort.conf
>> >> 
>> >> output alert_syslog: LOG_AUTH LOG_ALERT
>> >> output CSV: /var/log/alert.csv default
>> >> etc
>> >> [I have also tried with commenting out
>> alert_syslog]
>> >> 
>> >> /etc/snort/classification.config
>> >> /etc/snort/*.rules
>> >> 
>> >> Nothing goes in any of the /var/log/* files, nor
>> >> does it log to
>> >> 
>> >> -bash-2.05b$ ls -l /var/log/alert.csv
>> >> -rw-r--r--  1 snort  snort  0 Dec  9 15:14
>> >> /var/log/alert.csv
>> >> 
>> >> -bash-2.05b$ sudo snort -v -u snort -g snort -l
>> >> /var/log/snort -D
>> >> Initializing Output Plugins!
>> >> 
>> >> I don't think something is broke, but it's the
>> way
>> >> i'm using it.
>> >> 
>> >> Anyone got any thoughts?
>> >> 
>> >> Darren
>> >> 
>> >> Monday, December 9, 2002, 10:56:19 AM, you wrote:
>> >> 
>> >> l> Hi,
>> >> 
>> >> l> Well the best tip that I can give is, go to
>> >> www.snort.org and download snort 1.9
>> >> l> Version 1.8.6 is really old and there are no
>> >> signatures for it anymore.
>> >> 
>> >> l> Stefan D.
>> >> 
>> >> l> ------------------------
>> >> l>  Darren <darren at ...7695...> wrote:
>> >> l> ------------------------
>> >> l> Hello snort-users,
>> >> >>
>> >> >>After spending all afternoon on this, I need
>> some
>> >> tips.
>> >> >>
>> >> >>I am using OpenBSD 3.2-stable and snort 1.8.6
>> >> compiles from ports.
>> >> >>
>> >> >>I can't get snort to write csv output.  Is this
>> a
>> >> known issue or
>> >> >>am I doing something wrong?
>> >> >>
>> >> >>/etc/snort.conf
>> >> >>
>> >> >>output alert_syslog: LOG_AUTH LOG_ALERT
>> >> >>output csv: /var/log/snort/snort.log
>> >> msg,proto,timestamp,src,srcport,dst,dstport
>> >> >>
>> >> >>-bash-2.05b$ ls -ld /var/log/snort
>> >> >>drwxr-xr-x  2 snort  snort  512 Dec  8 17:31
>> >> /var/log/snort
>> >> >>-bash-2.05b$ ls -l /var/log/snort/snort.log
>> >> >>-rw-r--r--  1 snort  snort  0 Dec  8 17:31
>> >> /var/log/snort/snort.log
>> >> >>
>> >> >>I have to launch snort like this so it writes
>> into
>> >> /var/log/snort/
>> >> >># snort -v -u snort -g snort -l /var/log/snort
>> -D
>> >> >>
>> >> >>-bash-2.05b$ ps auxw | grep snort
>> >> >>snort    21995 31.8  0.0   664   644 ??  Ss    
>> >> 5:38PM    0:14.62 snort -v -u snort -g snort -l
>> >> /var/log/snort -D
>> >> >>
>> >> >>Interestingly without the -l option it won't
>> write
>> >> there, but this
>> >> >>is less important.
>> >> >>
>> >> >>I'd like syslog and csv output.
>> >> >>
>> >> >>Snort was build like this
>> >> >># cd /usr/ports/net/snort
>> >> >># make install
>> >> >>
>> >> >>-bash-2.05b$ grep LOG_AUTH
>> /usr/include/syslog.h
>> >> >>#define LOG_AUTH        (4 Snort!






More information about the Snort-users mailing list