RE: Repost: Syslog, but I don't want it

[Marc Thompson <Marc.Thompson () bops com>]

As requested, my snort config without comment lines.  I earlier
hypothesized that the lack of the '-l' command-line argument
to snort caused it to log to syslog by default.  My hypothesis
turned out to be wrong, though.  

So, I'm still having the problem.

My current snort command line is:
        snort -c /etc/snort/snort.conf -i eth1 -Dd -l /var/log/snort

Thank you,
Marc Thompson

** Snort conf file.  Only thing different is that I've
obfuscated the IP addresses.

var HOME_NET xxx.xxx.xxx.xxx/xxx
var EXTERNAL_NET any
preprocessor defrag
preprocessor http_decode: 80 8080
preprocessor portscan: $HOME_NET 4 3 portscan.log
output log_tcpdump: tcpdump.out 
output database: log, mysql, user=snort password=xxxx dbname=snort host=xxxx
sensor_name=nids encoding=hex
include /etc/snort/webcgi-lib
include /etc/snort/webcf-lib
include /etc/snort/webiis-lib
include /etc/snort/webfp-lib
include /etc/snort/webmisc-lib
include /etc/snort/overflow-lib
include /etc/snort/finger-lib
include /etc/snort/ftp-lib
include /etc/snort/smtp-lib
include /etc/snort/telnet-lib
include /etc/snort/misc-lib
include /etc/snort/netbios-lib
include /etc/snort/scan-lib
include /etc/snort/ddos-lib
include /etc/snort/backdoor-lib
#include /etc/snort/ping-lib
include /etc/snort/rpc-lib
include /etc/snort/virus-lib

*******************************************
Marc Thompson
IT Site Manager
BOPS, Inc.
7800 Shoal Creek Blvd. Suite 200N
Austin, TX 78757
Direct: (512)407-1103
Fax:  (512)346-8407

This message is for the sole use of the intended recipient(s) and may
contain
confidential and privileged information.  Any unauthorized review, use,
disclosure, or distribution is prohibited.  If you are not the intended
recipient, 
please contact the sender and destroy all copies of the original message.


-----Original Message-----
From: Fyodor [mailto:fygrave () tigerteam net]
Sent: Saturday, June 02, 2001 5:03 AM
To: Marc Thompson
Cc: 'snort-users () lists sourceforge net'; 'joey () silicondefense com'
Subject: Re: [Snort-users] Repost: Syslog, but I don't want it


On Fri, Jun 01, 2001 at 10:10:10AM -0500, Marc Thompson wrote:
> Joe,
>
> You recommended that I run snort without the -D (Daemon-mode)
> option.  I tried this, ran nmap, alerts fired but weren't sent
> to syslog.  This is the behavior that I want, so your idea worked.
>
> So, it seems that running snort in Daemon mode enables syslog
> logging via the LOCAL facility.  I imagine that this is by design.

By design only errors and warnings are logged via syslog if it's running
in daemon mode.

> What do you recommend I try next? Bug report?  Enhancement Request?

Well, if you chould show us relevant snippets of the configuration file,
so we could reproduce 'the bug', it would be helpful indeed. :)


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users