I keep getting blank messages sent from root ... I did a little digging around and found out that these are sent by /etc/cron.daily/5snort. I think this is debian specific, since it gets my e-mail address from /etc/snort/snort.debian.conf. The variable is DEBIAN_SNORT_STATS_RCPT, and the script being run to generate statistics is /usr/sbin/snort-stat.
It seems that snort-stat ends up reading /var/log/auth.log. However, the reason the message is blank is because it determines that this is not a snort log and therefore exits without doing anything (it would be nice if it said that the reason it aborted was because it wasn't looking at a snort log). I upgraded from 1.7-9 to 1.8.4beta1-2. I noticed that the 5snort script now tests to see if the output file from snort-stat is empty before it decides to send. This would make it so that messages don't get sent ... but does it fix the problem? I noticed that snort-stat still thinks that auth.log isn't a snort log file. Is this just because snort hasn't detected anything or is it perhaps using incorrect criteria to test whether it's a snort log? Thanks! Jen -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
