[Snort-users] syslog output plugin

L. Christopher Luther CLuther at ...6333...
Thu May 15 09:09:02 EDT 2003


Jose,  

The Snort command line options for alerting or logging override *all* output
plugins specified in snort.conf [0].  Instead of using the '-A full' command
line parameter, use the 'alert_full' output plugin [1].  


HTH,  

- Christopher 

[0] http://www.snort.org/docs/writing_rules/chap1.html#tth_sEc1.4.1 
[1] http://www.snort.org/docs/writing_rules/chap2.html#tth_sEc2.5.3


-----Original Message-----
From: José M. Fandiño [mailto:snort at ...9188...]
Sent: Thursday, May 15, 2003 10:46 AM
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] syslog output plugin


Hello,

 I'm trying to run snort 2.0 in an OpenBSD machine, but I'm unable
to do work the syslog output plugin. Snort is jailed, running 
as an unprivileged user and the ethernet interface haven't any ip 
address assigned. 

System scripts use this line to start snort.
/usr/local/snort/bin/snort -t /usr/local/snort -devsI -c ./snort-ids.conf -D
-u snortxl0 -g snortxl0 -P 1518 -i xl0 -A full -l
/usr/local/snort/var/log/snort/

So, I have this line in my snort-ids.conf
output alert_syslog: LOG_AUTH LOG_ALERT

syslog daemon open a socket in the jailed environment as you
can see.
syslogd -a /usr/local/snort/dev/log

# file /usr/local/snort/dev/log
/usr/local/snort/dev/log: socket

and this line in the syslog.conf file catch all messages
*.*     /var/log/all

I only see the snort initialization messages but nothing 
about alerts. :-?

any idea about where is the problem?

May 15 14:41:41 rastreador snort: OpenPcap() device xl0 network lookup:
xl0: no IPv4 address assigned
May 15 14:41:41 rastreador snort: Initializing daemon mode
May 15 14:41:41 rastreador snort: PID path stat checked out ok, PID path set
to /var/run/
May 15 14:41:41 rastreador snort: Writing PID "17321" to file
"/var/run//snort_xl0.pid"
May 15 14:41:41 rastreador snort: http_decode arguments:
May 15 14:41:41 rastreador snort:     Unicode decoding
May 15 14:41:41 rastreador snort:     IIS alternate Unicode decoding
May 15 14:41:41 rastreador snort:     IIS double encoding vuln
May 15 14:41:41 rastreador snort:     Flip backslash to slash
May 15 14:41:41 rastreador snort:     Include additional whitespace
separators
May 15 14:41:41 rastreador snort:     Ports to decode http on: 80
May 15 14:41:41 rastreador snort: rpc_decode arguments:
May 15 14:41:41 rastreador snort:     Ports to decode RPC on: 111 32771
May 15 14:41:41 rastreador snort:     alert_fragments: INACTIVE
May 15 14:41:41 rastreador snort:     alert_large_fragments: ACTIVE
May 15 14:41:41 rastreador snort:     alert_incomplete: ACTIVE
May 15 14:41:41 rastreador snort:     alert_multiple_requests: ACTIVE
May 15 14:41:41 rastreador snort: telnet_decode arguments:
May 15 14:41:41 rastreador snort:     Ports to decode telnet on: 21 23 25
119
May 15 14:41:41 rastreador snort: command line overrides rules file alert
plugin!
May 15 14:41:45 rastreador snort: Snort initialization completed
successfully

-- 
-----BEGIN GEEK CODE BLOCK-----
Version: 3.1
GCS/IT d- s+:+() a- C+++ UBL+++$ P+ L+++ E--- W++ N+ o++ K- w---
O+ M+ V- PS+ PE+ Y++ PGP+>+++ t+ 5 X+$ R- tv-- b+++ DI D++>+++
G++ e- h+(++) !r !z
------END GEEK CODE BLOCK------


-------------------------------------------------------
Enterprise Linux Forum Conference & Expo, June 4-6, 2003, Santa Clara
The only event dedicated to issues related to Linux enterprise solutions
www.enterpriselinuxforum.com

_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users




More information about the Snort-users mailing list