Re: #124169: snort: Lack of logging to /var/log/secure in default setup & log permissions

To: debian-security@lists.debian.org
Subject: Re: #124169: snort: Lack of logging to /var/log/secure in default setup & log permissions
From: Vineet Kumar <debian-security@virtual.doorstop.net>
Date: Tue, 05 Feb 2002 18:18:19 -0800
Message-id: <[🔎] 20020206021819.GD9137@doorstop.net>
Mail-followup-to: debian-security@lists.debian.org
In-reply-to: <[🔎] 20020202083015.GA10937@debianplanet.org>
References: <[🔎] 20020202083015.GA10937@debianplanet.org>

* Andrew Lau (netsnipe@debianplanet.org) [020202 00:34]:
> Hi everyone,
> 	It's been over a month since I submitted bug report #124169 to
> the BTS and snort's maintainer, Robert van der Meulen
> <rvdm at debian dot org>, has not yet replied to me. This bug report is
> effectively holding me back from releasing a fully operational
> razorback (ITP #115609) package to accompany Debian's snort
> package. Pasted below is a copy of that bug report:
> 
> ===========================================================================
> 
> Package: snort
> Version: 1.8p1-1
> Severity: normal
> 
> Dear Robert,
> 	I currently have an ITP to razorback
> <http://www.intersectalliance.com/projects/RazorBack/> which is a
> GNOME front-end to snort. Razorback requires access to /var/log/secure
> in order to provide real time monitoring of snort's status. After
> reading the documentation to snort it would seem that snort is meant
> to log by default to /var/log/secure as enabled by -s in the man page
> and the option you specified in /etc/snort/snort.conf:
> 
>        -s     Send alert messages to  syslog.   On  Linux  boxen,
>               they will appear in /var/log/secure, /var/log/messages
> 	      on many other platforms.
> 
> However this file doesn't exist or logged to even if the file is
> created by hand.

Isn't this really an issue with syslog? You're correct; this file
doesn't exist. It looks like -s makes snort send logging data to syslog,
whose output files are configured in /etc/syslog.conf . There's no
reference to /var/log/secure in the stock debian syslog configuration,
and /var/log/snort/... seems more like the correct "debian" way of doing
things. Someone more knowledgeable about debian's log policy may be able
to confirm or deny my guesses, or you could read through the policy
manual. Maybe razorback should be configured to use something other than
/var/log/secure, perhaps /var/log/snort/<whatever> . (I don't have snort
installed so I don't know what the actual filenames are.)

I hope these clues can give you a start in the right direction.

good times,
Vineet

-- 
Currently seeking opportunities in the SF Bay Area
Please see http://www.doorstop.net/resume/
-- 
"I disapprove of what you say, but I will defend to the death your right
to say it." --Beatrice Hall, The Friends of Voltaire, 1906

Attachment: pgppJx1rT51QA.pgp
Description: PGP signature

Reply to:

References:
- #124169: snort: Lack of logging to /var/log/secure in default setup & log permissions
  - From: Andrew Lau <netsnipe@debianplanet.org>

Prev by Date: test -> do not open
Next by Date: Re: OFFTOPIC: Linux in the Bundestag(german parliament) - Petition
Previous by thread: #124169: snort: Lack of logging to /var/log/secure in default setup & log permissions
Next by thread: ssh and scp and odd log reporting
Index(es):
- Date
- Thread