ASCII logging

[Bill McCarty <bmccarty () apu edu>]

Hi all,

I've been successfully using snort for several months. But, I have yet to 
really understand the command-line and configuration-file options related 
to logging. In particular, I want snort to generate alerts and perform 
binary logging to a specified file and directory. But, it persists on 
generating unwanted ASCII logs, which waste disc space and CPU cycles.

My snort invocation is:

daemon /usr/local/bin/snort \
 -D \
 -b \
 -N \
 -c $CDIR \
 -i $INTERFACE \
 -l $DIRBASE/$WEEK/$DATE \
 -L $FILE \
 -u $USER

And, the relevant contents of snort's configuration file are:

output alert_syslog: LOG_LOCAL1 LOG_INFO
output alert_full: /space1/snort/snort-full
output alert_fast: /space1/snort/snort-fast

log tcp any any <> $HOME_NET any (msg: "Unmatched TCP";session: printable;)
log udp any !8116 <> $HOME_NET any (msg: "Unmatched UDP";session: 
printable;)
log icmp any any <> $HOME_NET any (msg: "Unmatched ICMP";session: 
printable;)

I thought that the -b flag would dispense with ASCII logging. What am I 
missing?

I realize that having both full and fast alerts is not ideal. But, for 
several reasons I find it convenient; so, I prefer to continue generating 
the redundant alerts along with the system log entries. It's only the ASCII 
logs I want to ditch.

This is snort 1.8.6 (Build 105), under Red Hat Linux 7.2, installed via 
tarball rather than RPM.

Thanks!

---------------------------------------------------
Bill McCarty


-------------------------------------------------------
Sponsored by:
ThinkGeek at http://www.ThinkGeek.com/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users