I am running macOS Sierra 10.12.3

$ sw_vers
ProductName:    Mac OS X
ProductVersion: 10.12.3
BuildVersion:   16D32

I have installed snort using homebrew

$ brew install snort
$ brew ls --versions snort
snort 2.9.9.0

I am running snort and with a user config file, -s syslog switch, and a tcpdump-file

$ sudo snort -c /etc/snort/snort.conf -s -r tcpdump.pcap

my /etc/snort/snort.conf file has the following output settings:

output alert_syslog: LOG_AUTH LOG_ALERT

When I execute,a blank file gets created at /var/log/snort/snort.log.1489953549

I know that my rules are working, because if I execute snort with an alert-mode of fast

$ sudo snort -c /etc/snort/snort.conf -A fast -r tcpdump.pcap

a new blank /var/log/snort/snort.log.1489954258 is created, but a /var/log/snort/alert log file is also created, which contains the correct alert outputs.

I have seen others run into this issue because of permissions, but I don't believe that is my problem given that I am running snort as sudo and it is able to write to the alert log just fine.

I also do not have $NO_PACKET_LOG as far as I can tell. reference

It looks like brew installed some default snort config files under /usr/local/etc/snort, but I don't think that these are affecting me because I am using the -c switch to supply a user config file.

DISCLAIMER: This is my first time using snort, so it could be something very obvious that I am missing. Any and all help is much appreciated.