[Snort-users] Win32, output alert_syslog: host=xxxx broken?

Rich Adamson radamson at ...2127...
Thu May 1 14:46:07 EDT 2003


JP,

I've been running Build 76 on Win2kPro using the startup command line
option "-s" and
 output alert_syslog: host=127.0.0.1, LOG_AUTH LOG_ALERT
and its been working fine. Might get build 76 and give it a try. Think
you might need the -s option also.

Rich

------------------------
> Per [0] and [1], "output alert_syslog: host=loghost:514, LOG_AUTH LOG_ALERT"
> should work on Windows, yet in Version 2.0.0-ODBC-MySQL-WIN32 (Build 72) [2]
> it does not seem to.
> 
> I've tried these, none work (NOT using -s on CLI):
> 	output alert_syslog: host=loghost, LOG_AUTH LOG_ALERT
> 	output alert_syslog: host=loghost:514, LOG_AUTH LOG_ALERT
> 	output alert_syslog: host=192.168.1.5, LOG_AUTH LOG_ALERT
> 	output alert_syslog: host=192.168.1.5:514, LOG_AUTH LOG_ALERT
> 
> Snort starts and runs fine with -T or -v, I get captures in the ./log dir as
> expected, but no matter what, the events all end up in the Windows Event log,
> NOT in my loghost's syslog.  Loghost is RedHat 8 and it's working as I am
> getting syslog from other servers (in fact, I'm using BackLog on the Snort
> Windows box, so I *do* get the Snort alerts-but from Backlog, not Snort. :-(
> Unfortunately, that is not a possible solution as this config is for a
> customer who must run Snort on Windows and send to a syslog device doing
> filtering.  Adding Backlog to the mix will break the filters.
> 
> C:\Snort> egrep "output alert|alert icmp" c:\snort\etc\snort.conf
> # output alert_syslog: host=10.120.2.61:514, LOG_AUTH LOG_ALERT
> #output alert_syslog: host=192.168.1.5:514, LOG_AUTH LOG_ALERT
> #output alert_syslog: host=192.168.1.5, LOG_AUTH LOG_ALERT
> #output alert_syslog: host=loghost:514, LOG_AUTH LOG_ALERT
> output alert_syslog: host=loghost, LOG_AUTH LOG_ALERT
> alert icmp any any -> any any (msg: "HPT-Catch All ICMP";)
> 
> I'm running really simple (e.g. C:\Snort> bin\snort -c
> c:\Snort\etc\snort.conf), and added the above temp rule to trigger alerts via
> ping.  Everything works, except the alerts go to the wrong place.  I took a
> peek at the source and it *looked* OK to me, but then I really don't know
> squat about it.
> 
> Am I doing something dumb, or is it really broken?  If so, when might it be
> fixed?
> 
> TIA,
> JP
> 
> 
> [0]
> From: Chris Green <cmg at ...1935...>
> Date: Tue, 01 Apr 2003 14:34:49 -0500
> Subject: [Snort-announce] Snort 2.0.0 RC2 Available!
> 
> Changes Since RC1
> 	syslog should work on win32 and unix
> 
> 
> [1]
> 2003-03-27  Chris Reid  <chris.reid at ...3029...>
> 
>     Build 63
> 
>     * src/output-plugins/spo_alert_syslog.c
>       Win32 '-s' now takes no arguments.  Host/port info is
>       configured only within snort.conf (output alert_syslog).
> 
> 
> [2]
> http://www.snort.org/dl/binaries/win32/snort-2_0_0.exe
> 
> 
> ------------------------------|:::======|--------------------------------
> JP Vossen, CISSP              |:::======|                jp at ...8684...
> My Account, My Opinions       |=========|       http://www.jpsdomain.org/
> ------------------------------|=========|--------------------------------
> "The software said it requires Windows 98 or better, so I installed
> Linux..."
> 
> 
> 
> -------------------------------------------------------
> This sf.net email is sponsored by:ThinkGeek
> Welcome to geek heaven.
> http://thinkgeek.com/sf
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

---------------End of Original Message-----------------






More information about the Snort-users mailing list