[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: #124169: snort: Lack of logging to /var/log/secure in default setup & log permissions

Dear Robert,

On Sat, Feb 02, 2002 at 12:57:20PM +0100, Robert van der Meulen wrote:
> Indeed. Snort default logs to the 'auth' facility, which might end up in
> /var/log/auth.log. The 'snort-stat' script finds out where snort logs, by
> doing something like syslogd-listfiles --auth.

	My apologies for being slightly too hasty, but I had noticed
that there had been some bug fixes that were NMUed instead of being
fixed by you and (probably incorrectly) assumed that you were not
actively looking into snort's bugs since I filed my bug report.
	My question now, however, is if snort is meant by default to
log to the 'auth' facility, then shouldn't I see messages within
/var/log/auth.log after nmapping myself three times in a row with
snort in its default Debian configuration? Or could there possibly be
another bug that is preventing snort from passing on messages to
syslog at this moment? Another possibility could be that snort just
ignores portscans from localhost, but that wouldn't seem right.
	I am still curious as whether snort in its default Debian
configuration is meant to communicate with syslogd as the lack of the
-s option in its init.d script and the commenting of alert_syslog
plugin in snort.conf would indicate otherwise. Enabling the above two
options still does not result in alerts to auth.log when I portscan
myself. I'm very confused now = )

Andrew "Netsnipe" Lau

* Andrew 'Netsnipe' Lau          DebianPlanet.org Editor & Comp.Sci, UNSW *
*   "apt-get into it"                     Debian GNU/Linux New Maintainer *
*     <netsnipe @/ debianplanet.org>    <awhl435 @/ cse.unsw. edu.au>     * 
* PGP: 1024D/2E8B68BD: 0B77 73D0 4F3B F286 63F1  9F4A 9B24 C07D 2E8B 68BD *

Attachment: pgpUxEtY8ddlN.pgp
Description: PGP signature

Reply to: