Re: is it possible to get pcap logs in individual directories?

[twig les <twigles () yahoo com>]

Snort *may* have what you're looking for, if what you're looking
for is this (from snort.conf):

# You can optionally define new rule types and associate one or 
# more output plugins specifically to that type.
#
# This example will create a type that will log to just tcpdump.
# ruletype suspicious
# {
#   type log
#   output log_tcpdump: suspicious.log
# }
#
# EXAMPLE RULE FOR SUSPICIOUS RULETYPE:
# suspicious $HOME_NET any -> $HOME_NET 6667 (msg:"Internal IRC
Server";)


I use this for some stupid traffic that sometimes preceeds a
system crash on a problematic box.  I just specify the full path
of the file I want to create.  Although I can see where this
solution would not scale.



--- Jon <warchild () spoofed org> wrote:
> Greetings,
>
> I've poured over all the documentation and can't figure this
> out.
>
> I have a 1.9 build from 1/29/03 running on OpenBSD -current. 
> I've got 6
> different snort processes listening on different interfaces
> doing different
> things.
>
> For each process, the only thing that differs in the command
> below is the
> interface and the configuration file.  In each config file,
> the only output
> plugin enabled is the database one: 
>
> snort -i xl1 -CDdIey -c /share/snort/etc/snort.conf -g snort
> -u snort
>
> This gets me a nice database with all the alerts in a
> managable form, and a
> text version in /var/log/snort/<ip>/$foo, where $foo is
> something like
> TCP:44332-80.  
>
> The problem comes when I want to do real analysis of an attack
> and an ASCII
> view of the packet is not sufficient.  Say I wanted to submit
> a pcap file
> containing the attack, or do more analysis with some other
> package -- this
> isn't possible with ACSII.
>
> I know I can enable tcpdump/binary output, or use the -b
> option, but things
> get ugly pretty quick with that.  Ideally, I'd like something
> that
> maintained the /var/log/snort/<ip>/ directory structure but
> gave me a pcap
> file instead of the ASCII.  The name of said pcap file is
> kinda important
> too, but I'd be happy if it just logged to unique files for
> each
> protco/src-port/dst-port combo like ASCII does.
>
> Is this possible?  If not, would a feature like this be
> valuable to the
> Snort community?
>
> Thanks in advance,
>
> -jon
>
>
>
>
> -------------------------------------------------------
> This SF.NET email is sponsored by:
> SourceForge Enterprise Edition + IBM + LinuxWorld = Something
> 2 See!
> http://www.vasoftware.com
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users


=====
-----------------------------------------------------------
Know yourself and know your enemy and you will never fear defeat.         
-----------------------------------------------------------

__________________________________________________
Do you Yahoo!?
Yahoo! Shopping - Send Flowers for Valentine's Day
http://shopping.yahoo.com


-------------------------------------------------------
This SF.NET email is sponsored by:
SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
http://www.vasoftware.com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users