[Snort-users] Snort-1.9.0 not generating required alerts

archana rao archuatdavis at ...131...
Wed Oct 16 14:35:02 EDT 2002


Hey, thanks for the help.But whatever I do, nothing
seems to be working.I am still unable to get Snort to
raise the required alerts even though, now the errors
have disappeared with the -s option.I just don't seem
to be able to figure out what is going wrong.Any help
would be greatly appreciated.
Archana

--- Alberto Gonzalez <ag-snort at ...7149...>
wrote:
> ok lets try this again since the first one got sent
> "blank" who knows...
> 
> i found this strange, since when i ran 1.8.7 i liked
> to log via syslog. 
> Since moving to 1.9.0 (been running beta6 for
> awhile)
> i moved on.
> 
> I tried running snort with just -s.. and like you
> stated I got the 
> "Usage" screen.....
> 
> (root at ...7183...)(~) snort -i rl0 -s -c
> /etc/snort/snort.conf  
> Initializing Output Plugins!
> Log directory = /var/log/snort
> 
> Initializing Network Interface rl0
> ERROR: OpenPcap() FSM compilation failed:
>         syntax error
> PCAP command: /etc/snort/snort.conf
> Fatal Error, Quitting..
> 
> IMHO, its expecting an argument after -s (it didnt
> like -c 
> /etc/snort/snort.conf)
> 
> some digging into my /etc/snort/snort.conf file..
> found the following:
> 
> # alert_syslog: log alerts to syslog
> # ----------------------------------
> # Use one or more syslog facilities as arguments
> #
> # output alert_syslog: LOG_AUTH LOG_ALERT
> 
> I wondered if the snort developers have made it so
> you have to pass a 
> argument to the command line switch.
> I attempted doing this with the following
> 
> (root at ...7183...)(~) /usr/local/bin/snort -i rl0 -c
> /etc/snort/snort.conf 
> -s LOG_AUTH -D
> Initializing Output Plugins!
> (root at ...7183...)(~) tail -f /var/log/daemon 
> <snip>
> Oct 16 00:27:44 cerebro snort:     target_limit: 5
> Oct 16 00:27:44 cerebro snort:     port_limit: 20
> Oct 16 00:27:44 cerebro snort:     timeout: 60
> Oct 16 00:27:53 cerebro snort[7111]: Snort
> initialization completed 
> successfully, Snort running
> 
> As you can see,  when passing the LOG_AUTH argument
> to the command line, 
> snort worked perfectly.
> You might want to check out the snort users manual
> available via html or 
> pdf...
> 
>
http://www.snort.org/docs/writing_rules/chap2.html#tth_sEc2.5.1
> 
> that URL above has the facilities that alert_syslog
> takes.. either via 
> output in snort.conf or now seen in 1.9 via command
> line
> argument.
> 
> hope it helps
> 
>     - Albert
> 
> archana rao wrote:
> 
> >Hi,
> >   I followed the steps you had mentioned, and now
> I
> >have discovered another problem.Snort-1.9.0 is not
> >accepting the -s(log alerts to syslog) command line
> >option.It gives me either a "fatal error, quitting"
> >error message, or prints out the "USAGE:...."
> >message.I noticed that I was getting the alerts in
> >Snort-1.8.7 when I was using the -s option and so,
> >when I tried doing the same thing, Snort-1.9.0
> doesn't
> >seem to be able to recognize the option.Any ideas?
> >Thanks in advance,
> >Archana
> >
> >
> >  
> >
> -- 
> The secret to success is to start from scratch and
> keep on scratching.
> 
> 


__________________________________________________
Do you Yahoo!?
Faith Hill - Exclusive Performances, Videos & More
http://faith.yahoo.com




More information about the Snort-users mailing list