[Snort-users] Snort Syslog Alerts on Win32

L. Christopher Luther CLuther at ...6333...
Sat Jan 4 21:42:05 EST 2003


Thanks, Frank.  I'll search the archives (soon) to see what I can find.  I
really liked the Snort forum on RapidNet -- it made searching much easier --
but alas, it's gone by the wayside.  

Christopher


-----Original Message-----
From: Frank Knobbe [mailto:fknobbe at ...652...]
Sent: Saturday, January 04, 2003 8:33 PM
To: L. Christopher Luther
Cc: Snort-Users (E-mail)
Subject: RE: [Snort-users] Snort Syslog Alerts on Win32


On Sat, 2003-01-04 at 15:59, L. Christopher Luther wrote:
> Unfortunately, using the command line parameter for syslog is not an
> option, exactly because I don't want to clobber the other output
> plug-ins in the snort.conf file.  And it probably will not work anyway
> under Win32 (see the post/rant I just sent to the list).  It appears
> that  "syslog" under Win32 really means "Event Log", which just will
> not do.  
> 
> Presuming that Snort under Win32 will some day really support syslog
> output, hopefully then there will also be a "host=" and "port=" option
> for the alert_syslog plug-in.  


Chris,

if you search the archives you will come across (almost monthly)
postings like yours. I had written a patch to Snort at some time in the
past (I think that's almost 2-3 years ago). That patch will allow you to
use '-s <host>' on the command line under Windows without nullifying the
snort.conf. In other words, Snort still uses all settings from
snort.conf but in addition uses the host from '-s' to send syslog alerts
to.

Why this still hasn't been committed, I can't answer. Even though this
issue is raised very frequently, the developers/committers have yet to
add a satisfactory solution to the source. My patch worked for me (and
others), but I guess wasn't worthy for addition to Snort. Until that
issue is finally addresses, we'll see questions like this asked
routinely.

So, again, search the archives and you'll find a patch for Snort. Apply
that to the source, recompile, can you can send syslog alerts to a
remote host under Windows.

Regards,
Frank

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20030104/02cfd3e1/attachment.html>


More information about the Snort-users mailing list