[Snort-users] Win32, output alert_syslog: host=xxxx broken?

JP Vossen vossenjp at ...8683...
Thu May 1 14:23:05 EDT 2003


Per [0] and [1], "output alert_syslog: host=loghost:514, LOG_AUTH LOG_ALERT"
should work on Windows, yet in Version 2.0.0-ODBC-MySQL-WIN32 (Build 72) [2]
it does not seem to.

I've tried these, none work (NOT using -s on CLI):
	output alert_syslog: host=loghost, LOG_AUTH LOG_ALERT
	output alert_syslog: host=loghost:514, LOG_AUTH LOG_ALERT
	output alert_syslog: host=192.168.1.5, LOG_AUTH LOG_ALERT
	output alert_syslog: host=192.168.1.5:514, LOG_AUTH LOG_ALERT

Snort starts and runs fine with -T or -v, I get captures in the ./log dir as
expected, but no matter what, the events all end up in the Windows Event log,
NOT in my loghost's syslog.  Loghost is RedHat 8 and it's working as I am
getting syslog from other servers (in fact, I'm using BackLog on the Snort
Windows box, so I *do* get the Snort alerts-but from Backlog, not Snort. :-(
Unfortunately, that is not a possible solution as this config is for a
customer who must run Snort on Windows and send to a syslog device doing
filtering.  Adding Backlog to the mix will break the filters.

C:\Snort> egrep "output alert|alert icmp" c:\snort\etc\snort.conf
# output alert_syslog: host=10.120.2.61:514, LOG_AUTH LOG_ALERT
#output alert_syslog: host=192.168.1.5:514, LOG_AUTH LOG_ALERT
#output alert_syslog: host=192.168.1.5, LOG_AUTH LOG_ALERT
#output alert_syslog: host=loghost:514, LOG_AUTH LOG_ALERT
output alert_syslog: host=loghost, LOG_AUTH LOG_ALERT
alert icmp any any -> any any (msg: "HPT-Catch All ICMP";)

I'm running really simple (e.g. C:\Snort> bin\snort -c
c:\Snort\etc\snort.conf), and added the above temp rule to trigger alerts via
ping.  Everything works, except the alerts go to the wrong place.  I took a
peek at the source and it *looked* OK to me, but then I really don't know
squat about it.

Am I doing something dumb, or is it really broken?  If so, when might it be
fixed?

TIA,
JP


[0]
From: Chris Green <cmg at ...1935...>
Date: Tue, 01 Apr 2003 14:34:49 -0500
Subject: [Snort-announce] Snort 2.0.0 RC2 Available!

Changes Since RC1
	syslog should work on win32 and unix


[1]
2003-03-27  Chris Reid  <chris.reid at ...3029...>

    Build 63

    * src/output-plugins/spo_alert_syslog.c
      Win32 '-s' now takes no arguments.  Host/port info is
      configured only within snort.conf (output alert_syslog).


[2]
http://www.snort.org/dl/binaries/win32/snort-2_0_0.exe


------------------------------|:::======|--------------------------------
JP Vossen, CISSP              |:::======|                jp at ...8684...
My Account, My Opinions       |=========|       http://www.jpsdomain.org/
------------------------------|=========|--------------------------------
"The software said it requires Windows 98 or better, so I installed
Linux..."





More information about the Snort-users mailing list