[Snort-users] No alerts
erek at ...577...
Mon Mar 25 13:26:24 EST 2002
On Mon, 25 Mar 2002, Bill McCarty wrote:
> I downloaded and compiled Snort 1.8.4, replacing the 1.8.3-5 RPM version.
> It runs and logs fine, but doesn't generate alerts -- I don't mean SMB
> alerts, just plain Fast and Full alerts. However, switching back to the old
> binary -- without otherwise tweaking the configuration -- yields alerts
> once again.
First off, define what you mean by alerts. Do you mean the
/var/log/snort/alert file? Binary logging? Syslog Alerts?
> I don't find any compile-time configuration options necessary to support
> alerts. But, perhaps I missed one.
> Does 1.8.4 require command-line specification of alert-related options that
> could previously be specified in snort.conf?
> The invocation is:
> daemon /usr/sbin/snort \
> -D \
> -c $CDIR \
> -i $INTERFACE \
> -l $DIRBASE/$WEEK/$DATE \
> -u $USER \
> -h $HOMENET
> and snort.conf has:
> output alert_syslog: LOG_LOCAL1 LOG_INFO
> output log_tcpdump: snort.log
> output alert_full: /space1/snort/snort-full
> output alert_fast: /space1/snort/snort-fast
Well... That's a bit of overkill. If you are going to log in binary, there's
no need to burn CPU logging any other way.
I'd remove everything but log_tcpdump, then strace the binary and see what
it's trying to open. It might be something as simple as permissions or a
umask issue from one version to another.
I've upgraded many times and never had any issues with alerting/logging
Hope that helps!
More information about the Snort-users