[Snort-users] Upgrade, 1.8.6->2.0.0rc5 - new version won't alert to syslog? (fwd)

Glenn Forbes Fleming Larratt glratt at ...4500...
Fri Apr 18 09:49:22 EDT 2003


Thanks for the input, all.

Summary: the combination "-A fast -s" will write alerts to syslog in
a snort-1.8.6-on-Solaris-8 installation, but the two commandline arguments
seem to conflict in a snort-2.0.0-on-Solaris-8 installation, yielding
no alerts to syslog.

I was able to get my desired result by striking both "-A fast" and "-s"
from the command line in /etc/init.d/snort, and configuring

	# [Unix flavours should use this format...]
	# output alert_syslog: LOG_AUTH LOG_ALERT
	output alert_syslog: LOG_AUTH LOG_ALERT
	#

into snort.conf .

	-g

Glenn Forbes Fleming Larratt          glratt at ...604...
http://is.rice.edu/~glratt

There are imaginary bugs to chase in heaven.

---------- Forwarded message ----------
Date: Thu, 17 Apr 2003 16:41:05 -0500 (CDT)
From: Glenn Forbes Fleming Larratt <glratt at ...4500...>
To: snort-users at lists.sourceforge.net
Subject: Upgrade, 1.8.6->2.0.0rc5 - new version won't alert to syslog?

ObFAQ:
} Q: Snort is not logging to syslog
}
} A1: You are using a command line option that overrides what you have in your
}     configuration file.  This is most often -A.
}
} A2: It may be logging to the wrong place.  Make sure syslog is configured
}     correctly.

Solaris 2.8 installation, runs snort 1.8.6 very happily - sample output
in /var/adm/messages:

} Apr 17 16:19:52 snorto.my.domain snort[5840]: [ID 702911 daemon.notice] Writing PID file to "/var/run/"
} Apr 17 16:19:55 snorto.my.domain snort[5840]: [ID 702911 daemon.notice] Snort initialization completed successfully, Snort running
} Apr 17 16:20:00 snorto.my.domain snort[5840]: [ID 702911 auth.alert] [1:1940000:1] UDP DNS traffic {UDP} 192.31.80.30:53 -> MY.NET.58.210:32775

, but when I point to the 2.0.0 installation, I get (a) much more daemon.notice
traffic on initialization, but (b) *NO* alerts!

} Apr 17 16:13:08 snorto.my.domain snort[5742]: [ID 702911 daemon.notice] telnet_decode arguments:
} Apr 17 16:13:08 snorto.my.domain snort[5742]: [ID 702911 daemon.notice]     Ports to decode telnet on: 21 23 25 119
} Apr 17 16:13:08 snorto.my.domain snort[5744]: [ID 702911 daemon.notice] telnet_decode arguments:
} Apr 17 16:13:08 snorto.my.domain snort[5744]: [ID 702911 daemon.notice]     Ports to decode telnet on: 21 23 25 119
} Apr 17 16:13:14 snorto.my.domain snort: [ID 702911 daemon.notice] Snort initialization completed successfully

Command line with which I'm running snort (out of the same /etc/init.d/snort
file for both versions):

} /usr/site/snort/bin/snort -o -b -D -m 022 -A fast -i qfe1 -s -l /snort/qfe1 -c /usr/site/snort/rules/snort.conf > /dev/null 2>&1

I have tried:

- changing the order of the command line arguments (particularly -s);
- removing -s and configuring "output alert_syslog: LOG_AUTH LOG_ALERT"
   into snort.conf;

to no avail. I have also tried running at the command line without the
-D switch, in which case snort writes an "alert" file in /var/log/snort or
/var/log/snort/{interface}.

I'm convinced that snort is generating alerts, because of the results
of a "kill -USR1":

} Apr 17 16:13:27 snorto.rice.edu snort: [ID 702911 daemon.notice] Snort analyzed 18407 out of 18407 packets,
} Apr 17 16:13:27 snorto.rice.edu snort: [ID 702911 daemon.notice] dropping 0(0.000%) packets
} Apr 17 16:13:27 snorto.rice.edu snort: [ID 702911 daemon.notice] Breakdown by protocol:                Action Stats:
} Apr 17 16:13:27 snorto.rice.edu snort: [ID 702911 daemon.notice]     TCP: 16905      (91.840%)         ALERTS: 10
} Apr 17 16:13:27 snorto.rice.edu snort: [ID 702911 daemon.notice]     UDP: 1401       (7.611%)          LOGGED: 10

, but not syslogging them.

Can anyone shed some light on this?

Thanks,

	-g


Glenn Forbes Fleming Larratt          glratt at ...604...
http://is.rice.edu/~glratt

There are imaginary bugs to chase in heaven.






More information about the Snort-users mailing list