Re: Snort-1.9.0 not generating required alerts

[archana rao <archuatdavis () yahoo com>]

Hey, thanks for the help.But whatever I do, nothing
seems to be working.I am still unable to get Snort to
raise the required alerts even though, now the errors
have disappeared with the -s option.I just don't seem
to be able to figure out what is going wrong.Any help
would be greatly appreciated.
Archana

--- Alberto Gonzalez <ag-snort () cerebro violating us>
wrote:
> ok lets try this again since the first one got sent
> "blank" who knows...
>
> i found this strange, since when i ran 1.8.7 i liked
> to log via syslog. 
> Since moving to 1.9.0 (been running beta6 for
> awhile)
> i moved on.
>
> I tried running snort with just -s.. and like you
> stated I got the 
> "Usage" screen.....
>
> (root@cerebro)(~) snort -i rl0 -s -c
> /etc/snort/snort.conf  
> Initializing Output Plugins!
> Log directory = /var/log/snort
>
> Initializing Network Interface rl0
> ERROR: OpenPcap() FSM compilation failed:
>         syntax error
> PCAP command: /etc/snort/snort.conf
> Fatal Error, Quitting..
>
> IMHO, its expecting an argument after -s (it didnt
> like -c 
> /etc/snort/snort.conf)
>
> some digging into my /etc/snort/snort.conf file..
> found the following:
>
> # alert_syslog: log alerts to syslog
> # ----------------------------------
> # Use one or more syslog facilities as arguments
> #
> # output alert_syslog: LOG_AUTH LOG_ALERT
>
> I wondered if the snort developers have made it so
> you have to pass a 
> argument to the command line switch.
> I attempted doing this with the following
>
> (root@cerebro)(~) /usr/local/bin/snort -i rl0 -c
> /etc/snort/snort.conf 
> -s LOG_AUTH -D
> Initializing Output Plugins!
> (root@cerebro)(~) tail -f /var/log/daemon 
> <snip>
> Oct 16 00:27:44 cerebro snort:     target_limit: 5
> Oct 16 00:27:44 cerebro snort:     port_limit: 20
> Oct 16 00:27:44 cerebro snort:     timeout: 60
> Oct 16 00:27:53 cerebro snort[7111]: Snort
> initialization completed 
> successfully, Snort running
>
> As you can see,  when passing the LOG_AUTH argument
> to the command line, 
> snort worked perfectly.
> You might want to check out the snort users manual
> available via html or 
> pdf...
http://www.snort.org/docs/writing_rules/chap2.html#tth_sEc2.5.1
> that URL above has the facilities that alert_syslog
> takes.. either via 
> output in snort.conf or now seen in 1.9 via command
> line
> argument.
>
> hope it helps
>
>     - Albert
>
> archana rao wrote:
>
> > Hi,
> >   I followed the steps you had mentioned, and now
> I
> > have discovered another problem.Snort-1.9.0 is not
> > accepting the -s(log alerts to syslog) command line
> > option.It gives me either a "fatal error, quitting"
> > error message, or prints out the "USAGE:...."
> > message.I noticed that I was getting the alerts in
> > Snort-1.8.7 when I was using the -s option and so,
> > when I tried doing the same thing, Snort-1.9.0
> doesn't
> > seem to be able to recognize the option.Any ideas?
> > Thanks in advance,
> > Archana
> >
> >
> >  
> -- 
> The secret to success is to start from scratch and
> keep on scratching.


__________________________________________________
Do you Yahoo!?
Faith Hill - Exclusive Performances, Videos & More
http://faith.yahoo.com


-------------------------------------------------------
This sf.net email is sponsored by: viaVerio will pay you up to
$1,000 for every account that you consolidate with us.
http://ad.doubleclick.net/clk;4749864;7604308;v?
http://www.viaverio.com/consolidator/osdn.cfm
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users