I tried to configure the snort to make alert file (fast alerts) for the Razorback.
The snort make logs to the syslog, but the alert file remains empty!

I commented out the syslog output line from the snort.conf:
# output alert_syslog: LOG_AUTH LOG_ALERT
and I put this:
output alert_fast: alert

but there isn't any change...

I use:
SuSE linux 9.0
Snort 2.0.1-98
Razorback 1.0.3-1

Please help me!

Thanks:
Gyuszko

The snort make logs to the syslog, but the alert file remains empty!
It's possible there are no alerts?
Was Snort restarted after you made the change?
How about using the full /path/and/filename ?

Meanwhile I realized that, the alerts in the syslog came from the SuSE FW.
So there aren't any alerts from snort.

"It's possible there are no alerts?"

Now I'm sure there aren't!

"Was Snort restarted after you made the change?"

Yes, of course (hundred times ).

"How about using the full /path/and/filename ?"

I'll tried it. The snort made an alert file, but it remains empty.

How about this:
1. Remove the "fast" line from snort.conf
2. Add this to /etc/syslog.conf: "local7.*<TABS>/var/log/snort/alert.log" and restart Syslogd.
3. Add this to snort.conf: "output alert_syslog: LOG_LOCAL7" and restart Snort.

Make sure the rest of your snort.conf is "sane", using the right HOME_NET variable, interface, and check you don't block scans by IP range, BPF filter etc etc. Scan yourself with some remote host or use Dslreports, Securityspace, Grc to check alerts get logged.
If this doesn't work, please post your full snort conf but zap your IP addy's/ranges.
BTW, 2.1.0 is out.

Thanks!

I installed the 2.1.0 version with the current rule set and it works!

Gyuszko