Snort mailing list archives

Fixed: Win32, output alert_syslog: host=xxxx broken?

From: JP Vossen <vossenjp () netaxs com>
Date: Thu, 1 May 2003 19:04:13 -0400 (EDT)

On Thu, 1 May 2003, Rich Adamson wrote:

I've been running Build 76 on Win2kPro using the startup command line


Where did b76 come from?  I don't see that on the Snort.org D/L site.

option "-s" and output alert_syslog: host=127.0.0.1, LOG_AUTH LOG_ALERT
and its been working fine.

Might get build 76 and give it a try. Think you might need the -s option
also.


Argh!!!  Adding -s to the CLI fixed it.  But that is very confusing!  I never
would have thought of that because my understanding is that CLI options
override conf options, so you DON'T use them when setting everything in the
conf file.  So is the rule of thumb now "don't use CLI options EXCEPT that you
must use -s with output alert_syslog?!?"  That seems wrong to me, but...  It
should probably be either fixed or noted in the sample conf file.


Also, on a related note there is a format string bug in
snort-2.0.0/src/win32/WIN32-Code/syslog.c.  I know this because Marty told me
on 11/23/2002, but I'd thought it was fixed.  It adds three spaces between the
syslog facility and the service name:

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

05/01-18:38:29.018619 192.168.1.199:1575 -> 192.168.1.5:514
UDP TTL:128 TOS:0x0 ID:15442 IpLen:20 DgmLen:107 Len: 79
<33>   snort: [1:0:0] HPT-Catch All ICMP {ICMP} 192.168.1.199 -

192.168.1.5

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

<syslog>
May  1 18:38:29 loghost    snort: [1:0:0] HPT-Catch All ICMP {ICMP}
192.168.1.199 -> 192.168.1.5
</syslog>


Anyway, thanks for the help with this!
JP
------------------------------|:::======|--------------------------------
JP Vossen, CISSP              |:::======|                jp () jpsdomain org
My Account, My Opinions       |=========|       http://www.jpsdomain.org/
------------------------------|=========|--------------------------------
"The software said it requires Windows 98 or better, so I installed
Linux..."



-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Win32, output alert_syslog: host=xxxx broken? JP Vossen (May 01)
- Re: Win32, output alert_syslog: host=xxxx broken? Rich Adamson (May 01)
  - Fixed: Win32, output alert_syslog: host=xxxx broken? JP Vossen (May 01)