Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Snort 1.9.1 and syslog identity

From: jjaddiss () mmm com
Date: Fri, 28 Mar 2003 16:42:27 -0500
I run Snort twice on the same box monitoring two different NICs, both
anonymous. I run one as "snort-inside" and the other as "snort-outside".
I'd like the log messages to be specific to the version that I'm running,
but they are not. They both put their entries in syslog as 'Snort:'.

I looked into why this is the case and discovered that the
spo_alert_syslog.c plugin hard coded the program name. So I've created the
following patch to change it so that it uses the (already saved) progname
variable.

Any chance this could be rolled into the source tree for an upcoming
version (2.0?) of snort?

Thank you - Justus

diff -c spo_alert_syslog.c.orig spo_alert_syslog.c
*** spo_alert_syslog.c.orig     Sat Nov  2 16:46:14 2002
--- spo_alert_syslog.c  Tue Mar 25 11:57:33 2003
***************
*** 119,133 ****
   */
  void AlertSyslogInit(u_char *args)
  {
      SyslogData *data;
      DEBUG_WRAP(DebugMessage(DEBUG_INIT, "Output: Alert-Syslog
Initialized\n"););

      pv.alert_plugin_active = 1;

      /* parse the argument list from the rules file */
      data = ParseSyslogArgs(args);

!     openlog("snort", data->options, data->facility);

      DEBUG_WRAP(DebugMessage(DEBUG_INIT,"Linking syslog alert function to
call list...\n"););

--- 119,145 ----
   */
  void AlertSyslogInit(u_char *args)
  {
+     char *shortprogname;
      SyslogData *data;
      DEBUG_WRAP(DebugMessage(DEBUG_INIT, "Output: Alert-Syslog
Initialized\n"););

+     /* lose the path part of the progname if present */
+     shortprogname = strrchr(progname, '/');
+     if (shortprogname == NULL)
+     {
+       shortprogname = progname;
+     }
+     else
+     {
+       shortprogname += 1;
+     }
+
      pv.alert_plugin_active = 1;

      /* parse the argument list from the rules file */
      data = ParseSyslogArgs(args);

!     openlog(shortprogname, data->options, data->facility);

      DEBUG_WRAP(DebugMessage(DEBUG_INIT,"Linking syslog alert function to
call list...\n"););




-------------------------------------------------------
This SF.net email is sponsored by:
The Definitive IT and Networking Event. Be There!
NetWorld+Interop Las Vegas 2003 -- Register today!
http://ads.sourceforge.net/cgi-bin/redirect.pl?keyn0001en
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: