Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Snort bug in syslog output?

From: JP Vossen <vossenjp () netaxs com>
Date: Sat, 24 May 2003 00:56:11 -0400 (EDT)

I've found what looks like a bug in Snort's syslog output.  But it could be me
just doing something crazy.  When running more than one instance of Snort on a
single server, I've been playing with using symlinks to keep track of which
instance is which.

Snort reports itself in syslog by $0 when kill'ed with -USR1 when '#output
alert_syslog', but by "snort" when 'output alert_syslog'.

Any ideas?  Think this is worth submitting a bug report?

Screen captures (to reproduce the behavior) below...

Later,
JP

PS--Found this while "porting" the snortd I just posted to my custom scripts
that handle more than one instance.  Any thoughts on THAT topic appreciated
too.  I'll post those scripts when I'm happy with them.
------------------------------|:::======|--------------------------------
JP Vossen, CISSP              |:::======|                jp () jpsdomain org
My Account, My Opinions       |=========|       http://www.jpsdomain.org/
------------------------------|=========|--------------------------------
"The software said it requires Windows XP or better, so I installed
Linux..."


(Minor reformatting of wrapped lines)

[buildhost:root /dev/pts/0]
/etc/snort-int# cat /etc/redhat-release && uname -a && snort -V
Red Hat Linux release 8.0 (Psyche)
Linux buildhost.jpsdomain.org 2.4.18-27.8.0 #1 Fri Mar 14 06:45:49 EST 2003
i686 i686 i386 GNU/Linux

-*> Snort! <*-
Version 2.0.0 (Build 72)
By Martin Roesch (roesch () sourcefire com, www.snort.org)

[buildhost:root /dev/pts/0]
/etc/snort-int# grep alert_syslog snort.conf
output alert_syslog: LOG_AUTH LOG_ALERT

[buildhost:root /dev/pts/0]
/etc/snort-int# /etc/init.d/snort-int start
Starting snort-int:                                        [  OK  ]

[buildhost:root /dev/pts/0]
/etc/snort-int# /etc/init.d/snort-int status
snort-int (pid 8294) is running...

[buildhost:root /dev/pts/0]
/etc/snort-int# kill -USR1 8294

[buildhost:root /dev/pts/0]
/etc/snort-int# tail /var/log/messages
May 24 00:43:54 buildhost snort:    Discarded(timeout): 0
May 24 00:43:54 buildhost snort:   Frag2 memory faults: 0
May 24 00:43:54 buildhost snort: ================================
May 24 00:43:54 buildhost snort: TCP Stream Reassembly Stats:
May 24 00:43:54 buildhost snort:         TCP Packets Used: 79   (56.835%)
May 24 00:43:54 buildhost snort:          Stream Trackers: 3
May 24 00:43:54 buildhost snort:           Stream flushes: 0
May 24 00:43:54 buildhost snort:            Segments used: 0
May 24 00:43:54 buildhost snort:    Stream4 Memory Faults: 0
May 24 00:43:54 buildhost snort: ================================

[buildhost:root /dev/pts/0]
/etc/snort-int# /etc/init.d/snort-int stop
Stopping snort-int:                                        [  OK  ]




[buildhost:root /dev/pts/0]
/etc/snort-int# edit snort.conf

[buildhost:root /dev/pts/0]
/etc/snort-int# grep alert_syslog snort.conf
#output alert_syslog: LOG_AUTH LOG_ALERT

[buildhost:root /dev/pts/0]
/etc/snort-int# /etc/init.d/snort-int start
Starting snort-int:                                        [  OK  ]

[buildhost:root /dev/pts/0]
/etc/snort-int# /etc/init.d/snort-int status
snort-int (pid 8336) is running...

[buildhost:root /dev/pts/0]
/etc/snort-int# kill -USR1 8336

[buildhost:root /dev/pts/0]
/etc/snort-int# tail /var/log/messages
May 24 00:45:55 buildhost snort-int:    Discarded(timeout): 0
May 24 00:45:55 buildhost snort-int:   Frag2 memory faults: 0
May 24 00:45:55 buildhost snort-int: ====================================
May 24 00:45:55 buildhost snort-int: TCP Stream Reassembly Stats:
May 24 00:45:55 buildhost snort-int:         TCP Packets Used: 57  (48.718%)
May 24 00:45:55 buildhost snort-int:          Stream Trackers: 3
May 24 00:45:55 buildhost snort-int:           Stream flushes: 0
May 24 00:45:55 buildhost snort-int:            Segments used: 0
May 24 00:45:55 buildhost snort-int:    Stream4 Memory Faults: 0
May 24 00:45:55 buildhost snort-int: ======================================



-------------------------------------------------------
This SF.net email is sponsored by: ObjectStore.
If flattening out C++ or Java code to make your application fit in a
relational database is painful, don't do it! Check out ObjectStore.
Now part of Progress Software. http://www.objectstore.net/sourceforge
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: