[Snort-users] Snort-1.9.0 not generating required alerts

Alberto Gonzalez ag-snort at ...7149...
Tue Oct 15 21:33:09 EDT 2002


ok lets try this again since the first one got sent "blank" who knows...

i found this strange, since when i ran 1.8.7 i liked to log via syslog. 
Since moving to 1.9.0 (been running beta6 for awhile)
i moved on.

I tried running snort with just -s.. and like you stated I got the 
"Usage" screen.....

(root at ...7183...)(~) snort -i rl0 -s -c /etc/snort/snort.conf  
Initializing Output Plugins!
Log directory = /var/log/snort

Initializing Network Interface rl0
ERROR: OpenPcap() FSM compilation failed:
        syntax error
PCAP command: /etc/snort/snort.conf
Fatal Error, Quitting..

IMHO, its expecting an argument after -s (it didnt like -c 
/etc/snort/snort.conf)

some digging into my /etc/snort/snort.conf file.. found the following:

# alert_syslog: log alerts to syslog
# ----------------------------------
# Use one or more syslog facilities as arguments
#
# output alert_syslog: LOG_AUTH LOG_ALERT

I wondered if the snort developers have made it so you have to pass a 
argument to the command line switch.
I attempted doing this with the following

(root at ...7183...)(~) /usr/local/bin/snort -i rl0 -c /etc/snort/snort.conf 
-s LOG_AUTH -D
Initializing Output Plugins!
(root at ...7183...)(~) tail -f /var/log/daemon 
<snip>
Oct 16 00:27:44 cerebro snort:     target_limit: 5
Oct 16 00:27:44 cerebro snort:     port_limit: 20
Oct 16 00:27:44 cerebro snort:     timeout: 60
Oct 16 00:27:53 cerebro snort[7111]: Snort initialization completed 
successfully, Snort running

As you can see,  when passing the LOG_AUTH argument to the command line, 
snort worked perfectly.
You might want to check out the snort users manual available via html or 
pdf...

http://www.snort.org/docs/writing_rules/chap2.html#tth_sEc2.5.1

that URL above has the facilities that alert_syslog takes.. either via 
output in snort.conf or now seen in 1.9 via command line
argument.

hope it helps

    - Albert

archana rao wrote:

>Hi,
>   I followed the steps you had mentioned, and now I
>have discovered another problem.Snort-1.9.0 is not
>accepting the -s(log alerts to syslog) command line
>option.It gives me either a "fatal error, quitting"
>error message, or prints out the "USAGE:...."
>message.I noticed that I was getting the alerts in
>Snort-1.8.7 when I was using the -s option and so,
>when I tried doing the same thing, Snort-1.9.0 doesn't
>seem to be able to recognize the option.Any ideas?
>Thanks in advance,
>Archana
>
>
>  
>
-- 
The secret to success is to start from scratch and keep on scratching.






More information about the Snort-users mailing list