OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Alberto Gonzalez (ag-snort_at_cerebro.violating.us)
Date: Wed Oct 16 2002 - 02:32:04 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    ok lets try this again since the first one got sent "blank" who knows...

    i found this strange, since when i ran 1.8.7 i liked to log via syslog.
    Since moving to 1.9.0 (been running beta6 for awhile)
    i moved on.

    I tried running snort with just -s.. and like you stated I got the
    "Usage" screen.....

    (rootcerebro)(~) snort -i rl0 -s -c /etc/snort/snort.conf
    Initializing Output Plugins!
    Log directory = /var/log/snort

    Initializing Network Interface rl0
    ERROR: OpenPcap() FSM compilation failed:
            syntax error
    PCAP command: /etc/snort/snort.conf
    Fatal Error, Quitting..

    IMHO, its expecting an argument after -s (it didnt like -c
    /etc/snort/snort.conf)

    some digging into my /etc/snort/snort.conf file.. found the following:

    # alert_syslog: log alerts to syslog
    # ----------------------------------
    # Use one or more syslog facilities as arguments
    #
    # output alert_syslog: LOG_AUTH LOG_ALERT

    I wondered if the snort developers have made it so you have to pass a
    argument to the command line switch.
    I attempted doing this with the following

    (rootcerebro)(~) /usr/local/bin/snort -i rl0 -c /etc/snort/snort.conf
    -s LOG_AUTH -D
    Initializing Output Plugins!
    (rootcerebro)(~) tail -f /var/log/daemon
    <snip>
    Oct 16 00:27:44 cerebro snort: target_limit: 5
    Oct 16 00:27:44 cerebro snort: port_limit: 20
    Oct 16 00:27:44 cerebro snort: timeout: 60
    Oct 16 00:27:53 cerebro snort[7111]: Snort initialization completed
    successfully, Snort running

    As you can see, when passing the LOG_AUTH argument to the command line,
    snort worked perfectly.
    You might want to check out the snort users manual available via html or
    pdf...

    http://www.snort.org/docs/writing_rules/chap2.html#tth_sEc2.5.1

    that URL above has the facilities that alert_syslog takes.. either via
    output in snort.conf or now seen in 1.9 via command line
    argument.

    hope it helps

        - Albert

    archana rao wrote:

    >Hi,
    > I followed the steps you had mentioned, and now I
    >have discovered another problem.Snort-1.9.0 is not
    >accepting the -s(log alerts to syslog) command line
    >option.It gives me either a "fatal error, quitting"
    >error message, or prints out the "USAGE:...."
    >message.I noticed that I was getting the alerts in
    >Snort-1.8.7 when I was using the -s option and so,
    >when I tried doing the same thing, Snort-1.9.0 doesn't
    >seem to be able to recognize the option.Any ideas?
    >Thanks in advance,
    >Archana
    >
    >
    >
    > 

    -- 
The secret to success is to start from scratch and keep on scratching.

    -------------------------------------------------------
This sf.net email is sponsored by: viaVerio will pay you up to
$1,000 for every account that you consolidate with us.
http://ad.doubleclick.net/clk;4749864;7604308;v?
http://www.viaverio.com/consolidator/osdn.cfm
_______________________________________________
Snort-users mailing list
Snort-userslists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users