[Snort-users] No alerts

Erek Adams erek at ...577...
Mon Mar 25 13:26:24 EST 2002


On Mon, 25 Mar 2002, Bill McCarty wrote:

> I downloaded and compiled Snort 1.8.4, replacing the 1.8.3-5 RPM version.
> It runs and logs fine, but doesn't generate alerts -- I don't mean SMB
> alerts, just plain Fast and Full alerts. However, switching back to the old
> binary -- without otherwise tweaking the configuration -- yields alerts
> once again.

First off, define what you mean by alerts.  Do you mean the
/var/log/snort/alert file?  Binary logging?  Syslog Alerts?

> I don't find any compile-time configuration options necessary to support
> alerts. But, perhaps I missed one.
>
> Does 1.8.4 require command-line specification of alert-related options that
> could previously be specified in snort.conf?
>
> The invocation is:
>
>         daemon /usr/sbin/snort \
>           -D \
>           -c $CDIR \
>           -i $INTERFACE \
>           -l $DIRBASE/$WEEK/$DATE \
>           -u $USER \
>           -h $HOMENET
>
> and snort.conf has:
>
> output alert_syslog: LOG_LOCAL1 LOG_INFO
> output log_tcpdump: snort.log
> output alert_full: /space1/snort/snort-full
> output alert_fast: /space1/snort/snort-fast

Well...  That's a bit of overkill.  If you are going to log in binary, there's
no need to burn CPU logging any other way.

I'd remove everything but log_tcpdump, then strace the binary and see what
it's trying to open.  It might be something as simple as permissions or a
umask issue from one version to another.

I've upgraded many times and never had any issues with alerting/logging
stopping.

Hope that helps!

-----
Erek Adams
Nifty-Type-Guy
TheAdamsFamily.Net





More information about the Snort-users mailing list