Dear Robert, On Sat, Feb 02, 2002 at 12:57:20PM +0100, Robert van der Meulen wrote: > Indeed. Snort default logs to the 'auth' facility, which might end up in > /var/log/auth.log. The 'snort-stat' script finds out where snort logs, by > doing something like syslogd-listfiles --auth. My apologies for being slightly too hasty, but I had noticed that there had been some bug fixes that were NMUed instead of being fixed by you and (probably incorrectly) assumed that you were not actively looking into snort's bugs since I filed my bug report. My question now, however, is if snort is meant by default to log to the 'auth' facility, then shouldn't I see messages within /var/log/auth.log after nmapping myself three times in a row with snort in its default Debian configuration? Or could there possibly be another bug that is preventing snort from passing on messages to syslog at this moment? Another possibility could be that snort just ignores portscans from localhost, but that wouldn't seem right. I am still curious as whether snort in its default Debian configuration is meant to communicate with syslogd as the lack of the -s option in its init.d script and the commenting of alert_syslog plugin in snort.conf would indicate otherwise. Enabling the above two options still does not result in alerts to auth.log when I portscan myself. I'm very confused now = ) Thanks, Andrew "Netsnipe" Lau -- --------------------------------------------------------------------------- * Andrew 'Netsnipe' Lau DebianPlanet.org Editor & Comp.Sci, UNSW * * "apt-get into it" Debian GNU/Linux New Maintainer * * <netsnipe @/ debianplanet.org> <awhl435 @/ cse.unsw. edu.au> * * PGP: 1024D/2E8B68BD: 0B77 73D0 4F3B F286 63F1 9F4A 9B24 C07D 2E8B 68BD * ---------------------------------------------------------------------------
Attachment:
pgpUxEtY8ddlN.pgp
Description: PGP signature