Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: -b binary logging question

From: Chris Green <cmg () sourcefire com>
Date: Tue, 03 Sep 2002 08:25:54 -0400
John Sage <jsage () finchhaven com> writes:


Having a discussion off-list about the -b binary logging switch, and
suddenly I'm wondering...

Does the -b binary logging switch *always* record all packets on the
interface?


No.  One thing that is confusing about snort is that it supports many
different modes.



Or is the set of packets logged by -b changed when one starts to
specify a snort.conf and thus check the packets against rules, whether
alerts or passes?


Yes.  There is a difference between with a snort.conf and without.




"If you're on a high speed network or you want to log the packets into
a more compact form for later analysis you should consider logging in
"binary mode". Binary mode logs the packets in "tcpdump format" to a
single binary file in the logging directory:e


I really should rewrite that portion.  That only makes sense these
days if you've got a slow machine but fast disk IO.  Binary mode for a
log format + fast mode instead of an ascii logging  makes lots of
sense though.\



./snort -l ./log -b

Note the command line changes here. We don't nee to specify a home
network any longer because binary mode logs everything into a single
file, which eliminates the need to tell it how to format the output
directory structure."

This implies that -b gets everything.



It does in that command line.


OK: does it *always* get everything?



Nope.
-- 
Chris Green <cmg () sourcefire com>
Don't use a big word where a diminutive one will suffice.


-------------------------------------------------------
This sf.net email is sponsored by: OSDN - Tired of that same old
cell phone?  Get a new here for FREE!
https://www.inphonic.com/r.asp?r=sourceforge1&refcode1=vs3390
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: