[Snort-users] Snort bug in syslog output?

JP Vossen vossenjp at ...8683...
Fri May 23 21:57:10 EDT 2003


I've found what looks like a bug in Snort's syslog output.  But it could be me
just doing something crazy.  When running more than one instance of Snort on a
single server, I've been playing with using symlinks to keep track of which
instance is which.

Snort reports itself in syslog by $0 when kill'ed with -USR1 when '#output
alert_syslog', but by "snort" when 'output alert_syslog'.

Any ideas?  Think this is worth submitting a bug report?

Screen captures (to reproduce the behavior) below...

Later,
JP

PS--Found this while "porting" the snortd I just posted to my custom scripts
that handle more than one instance.  Any thoughts on THAT topic appreciated
too.  I'll post those scripts when I'm happy with them.
------------------------------|:::======|--------------------------------
JP Vossen, CISSP              |:::======|                jp at ...8684...
My Account, My Opinions       |=========|       http://www.jpsdomain.org/
------------------------------|=========|--------------------------------
"The software said it requires Windows XP or better, so I installed
Linux..."


(Minor reformatting of wrapped lines)

[buildhost:root /dev/pts/0]
/etc/snort-int# cat /etc/redhat-release && uname -a && snort -V
Red Hat Linux release 8.0 (Psyche)
Linux buildhost.jpsdomain.org 2.4.18-27.8.0 #1 Fri Mar 14 06:45:49 EST 2003
i686 i686 i386 GNU/Linux

-*> Snort! <*-
Version 2.0.0 (Build 72)
By Martin Roesch (roesch at ...1935..., www.snort.org)

[buildhost:root /dev/pts/0]
/etc/snort-int# grep alert_syslog snort.conf
output alert_syslog: LOG_AUTH LOG_ALERT

[buildhost:root /dev/pts/0]
/etc/snort-int# /etc/init.d/snort-int start
Starting snort-int:                                        [  OK  ]

[buildhost:root /dev/pts/0]
/etc/snort-int# /etc/init.d/snort-int status
snort-int (pid 8294) is running...

[buildhost:root /dev/pts/0]
/etc/snort-int# kill -USR1 8294

[buildhost:root /dev/pts/0]
/etc/snort-int# tail /var/log/messages
May 24 00:43:54 buildhost snort:    Discarded(timeout): 0
May 24 00:43:54 buildhost snort:   Frag2 memory faults: 0
May 24 00:43:54 buildhost snort: ================================
May 24 00:43:54 buildhost snort: TCP Stream Reassembly Stats:
May 24 00:43:54 buildhost snort:         TCP Packets Used: 79   (56.835%)
May 24 00:43:54 buildhost snort:          Stream Trackers: 3
May 24 00:43:54 buildhost snort:           Stream flushes: 0
May 24 00:43:54 buildhost snort:            Segments used: 0
May 24 00:43:54 buildhost snort:    Stream4 Memory Faults: 0
May 24 00:43:54 buildhost snort: ================================

[buildhost:root /dev/pts/0]
/etc/snort-int# /etc/init.d/snort-int stop
Stopping snort-int:                                        [  OK  ]




[buildhost:root /dev/pts/0]
/etc/snort-int# edit snort.conf

[buildhost:root /dev/pts/0]
/etc/snort-int# grep alert_syslog snort.conf
#output alert_syslog: LOG_AUTH LOG_ALERT

[buildhost:root /dev/pts/0]
/etc/snort-int# /etc/init.d/snort-int start
Starting snort-int:                                        [  OK  ]

[buildhost:root /dev/pts/0]
/etc/snort-int# /etc/init.d/snort-int status
snort-int (pid 8336) is running...

[buildhost:root /dev/pts/0]
/etc/snort-int# kill -USR1 8336

[buildhost:root /dev/pts/0]
/etc/snort-int# tail /var/log/messages
May 24 00:45:55 buildhost snort-int:    Discarded(timeout): 0
May 24 00:45:55 buildhost snort-int:   Frag2 memory faults: 0
May 24 00:45:55 buildhost snort-int: ====================================
May 24 00:45:55 buildhost snort-int: TCP Stream Reassembly Stats:
May 24 00:45:55 buildhost snort-int:         TCP Packets Used: 57  (48.718%)
May 24 00:45:55 buildhost snort-int:          Stream Trackers: 3
May 24 00:45:55 buildhost snort-int:           Stream flushes: 0
May 24 00:45:55 buildhost snort-int:            Segments used: 0
May 24 00:45:55 buildhost snort-int:    Stream4 Memory Faults: 0
May 24 00:45:55 buildhost snort-int: ======================================





More information about the Snort-users mailing list