I am running macOS Sierra 10.12.3
$ sw_vers
ProductName: Mac OS X
ProductVersion: 10.12.3
BuildVersion: 16D32
I have installed snort using homebrew
$ brew install snort
$ brew ls --versions snort
snort 2.9.9.0
I am running snort and with a user config file, -s syslog switch, and a tcpdump-file
$ sudo snort -c /etc/snort/snort.conf -s -r tcpdump.pcap
my /etc/snort/snort.conf file has the following output settings:
output alert_syslog: LOG_AUTH LOG_ALERT
When I execute,a blank file gets created at /var/log/snort/snort.log.1489953549
I know that my rules are working, because if I execute snort with an alert-mode of fast
$ sudo snort -c /etc/snort/snort.conf -A fast -r tcpdump.pcap
a new blank /var/log/snort/snort.log.1489954258 is created, but a /var/log/snort/alert log file is also created, which contains the correct alert outputs.
I have seen others run into this issue because of permissions, but I don't believe that is my problem given that I am running snort as sudo and it is able to write to the alert log just fine.
I also do not have $NO_PACKET_LOG as far as I can tell. reference
It looks like brew installed some default snort config files under /usr/local/etc/snort, but I don't think that these are affecting me because I am using the -c switch to supply a user config file.
DISCLAIMER: This is my first time using snort, so it could be something very obvious that I am missing. Any and all help is much appreciated.
