[Snort-users] Snort-1.9.0 not generating required alerts

Alberto Gonzalez ag-snort at ...7149...
Tue Oct 15 21:33:09 EDT 2002

ok lets try this again since the first one got sent "blank" who knows...

i found this strange, since when i ran 1.8.7 i liked to log via syslog. 
Since moving to 1.9.0 (been running beta6 for awhile)
i moved on.

I tried running snort with just -s.. and like you stated I got the 
"Usage" screen.....

(root at ...7183...)(~) snort -i rl0 -s -c /etc/snort/snort.conf  
Initializing Output Plugins!
Log directory = /var/log/snort

Initializing Network Interface rl0
ERROR: OpenPcap() FSM compilation failed:
        syntax error
PCAP command: /etc/snort/snort.conf
Fatal Error, Quitting..

IMHO, its expecting an argument after -s (it didnt like -c 

some digging into my /etc/snort/snort.conf file.. found the following:

# alert_syslog: log alerts to syslog
# ----------------------------------
# Use one or more syslog facilities as arguments
# output alert_syslog: LOG_AUTH LOG_ALERT

I wondered if the snort developers have made it so you have to pass a 
argument to the command line switch.
I attempted doing this with the following

(root at ...7183...)(~) /usr/local/bin/snort -i rl0 -c /etc/snort/snort.conf 
Initializing Output Plugins!
(root at ...7183...)(~) tail -f /var/log/daemon 
Oct 16 00:27:44 cerebro snort:     target_limit: 5
Oct 16 00:27:44 cerebro snort:     port_limit: 20
Oct 16 00:27:44 cerebro snort:     timeout: 60
Oct 16 00:27:53 cerebro snort[7111]: Snort initialization completed 
successfully, Snort running

As you can see,  when passing the LOG_AUTH argument to the command line, 
snort worked perfectly.
You might want to check out the snort users manual available via html or 


that URL above has the facilities that alert_syslog takes.. either via 
output in snort.conf or now seen in 1.9 via command line

hope it helps

    - Albert

archana rao wrote:

>   I followed the steps you had mentioned, and now I
>have discovered another problem.Snort-1.9.0 is not
>accepting the -s(log alerts to syslog) command line
>option.It gives me either a "fatal error, quitting"
>error message, or prints out the "USAGE:...."
>message.I noticed that I was getting the alerts in
>Snort-1.8.7 when I was using the -s option and so,
>when I tried doing the same thing, Snort-1.9.0 doesn't
>seem to be able to recognize the option.Any ideas?
>Thanks in advance,
The secret to success is to start from scratch and keep on scratching.

More information about the Snort-users mailing list