[Snort-users] syslog output plugin

José M. Fandiño snort at ...9188...
Thu May 15 07:42:05 EDT 2003


Hello,

 I'm trying to run snort 2.0 in an OpenBSD machine, but I'm unable
to do work the syslog output plugin. Snort is jailed, running 
as an unprivileged user and the ethernet interface haven't any ip 
address assigned. 

System scripts use this line to start snort.
/usr/local/snort/bin/snort -t /usr/local/snort -devsI -c ./snort-ids.conf -D -u snortxl0 -g snortxl0 -P 1518 -i xl0 -A full -l /usr/local/snort/var/log/snort/

So, I have this line in my snort-ids.conf
output alert_syslog: LOG_AUTH LOG_ALERT

syslog daemon open a socket in the jailed environment as you
can see.
syslogd -a /usr/local/snort/dev/log

# file /usr/local/snort/dev/log
/usr/local/snort/dev/log: socket

and this line in the syslog.conf file catch all messages
*.*     /var/log/all

I only see the snort initialization messages but nothing 
about alerts. :-?

any idea about where is the problem?

May 15 14:41:41 rastreador snort: OpenPcap() device xl0 network lookup:         xl0: no IPv4 address assigned
May 15 14:41:41 rastreador snort: Initializing daemon mode
May 15 14:41:41 rastreador snort: PID path stat checked out ok, PID path set to /var/run/
May 15 14:41:41 rastreador snort: Writing PID "17321" to file "/var/run//snort_xl0.pid"
May 15 14:41:41 rastreador snort: http_decode arguments:
May 15 14:41:41 rastreador snort:     Unicode decoding
May 15 14:41:41 rastreador snort:     IIS alternate Unicode decoding
May 15 14:41:41 rastreador snort:     IIS double encoding vuln
May 15 14:41:41 rastreador snort:     Flip backslash to slash
May 15 14:41:41 rastreador snort:     Include additional whitespace separators
May 15 14:41:41 rastreador snort:     Ports to decode http on: 80
May 15 14:41:41 rastreador snort: rpc_decode arguments:
May 15 14:41:41 rastreador snort:     Ports to decode RPC on: 111 32771
May 15 14:41:41 rastreador snort:     alert_fragments: INACTIVE
May 15 14:41:41 rastreador snort:     alert_large_fragments: ACTIVE
May 15 14:41:41 rastreador snort:     alert_incomplete: ACTIVE
May 15 14:41:41 rastreador snort:     alert_multiple_requests: ACTIVE
May 15 14:41:41 rastreador snort: telnet_decode arguments:
May 15 14:41:41 rastreador snort:     Ports to decode telnet on: 21 23 25 119
May 15 14:41:41 rastreador snort: command line overrides rules file alert plugin!
May 15 14:41:45 rastreador snort: Snort initialization completed successfully

-- 
-----BEGIN GEEK CODE BLOCK-----
Version: 3.1
GCS/IT d- s+:+() a- C+++ UBL+++$ P+ L+++ E--- W++ N+ o++ K- w---
O+ M+ V- PS+ PE+ Y++ PGP+>+++ t+ 5 X+$ R- tv-- b+++ DI D++>+++
G++ e- h+(++) !r !z
------END GEEK CODE BLOCK------




More information about the Snort-users mailing list