Fixed: [Snort-users] Win32, output alert_syslog: host=xxxx broken?

JP Vossen vossenjp at ...8683...
Thu May 1 16:05:14 EDT 2003

On Thu, 1 May 2003, Rich Adamson wrote:

> I've been running Build 76 on Win2kPro using the startup command line

Where did b76 come from?  I don't see that on the D/L site.

> option "-s" and output alert_syslog: host=, LOG_AUTH LOG_ALERT
> and its been working fine.
> Might get build 76 and give it a try. Think you might need the -s option
> also.

Argh!!!  Adding -s to the CLI fixed it.  But that is very confusing!  I never
would have thought of that because my understanding is that CLI options
override conf options, so you DON'T use them when setting everything in the
conf file.  So is the rule of thumb now "don't use CLI options EXCEPT that you
must use -s with output alert_syslog?!?"  That seems wrong to me, but...  It
should probably be either fixed or noted in the sample conf file.

Also, on a related note there is a format string bug in
snort-2.0.0/src/win32/WIN32-Code/syslog.c.  I know this because Marty told me
on 11/23/2002, but I'd thought it was fixed.  It adds three spaces between the
syslog facility and the service name:


05/01-18:38:29.018619 ->
UDP TTL:128 TOS:0x0 ID:15442 IpLen:20 DgmLen:107 Len: 79
<33>   snort: [1:0:0] HPT-Catch All ICMP {ICMP} -

May  1 18:38:29 loghost    snort: [1:0:0] HPT-Catch All ICMP {ICMP} ->

Anyway, thanks for the help with this!
JP Vossen, CISSP              |:::======|                jp at ...8684...
My Account, My Opinions       |=========|
"The software said it requires Windows 98 or better, so I installed

More information about the Snort-users mailing list