Snort mailing list archives
Re: is it possible to get pcap logs in individual directories?
From: twig les <twigles () yahoo com>
Date: Tue, 11 Feb 2003 09:47:36 -0800 (PST)
Snort *may* have what you're looking for, if what you're looking for is this (from snort.conf): # You can optionally define new rule types and associate one or # more output plugins specifically to that type. # # This example will create a type that will log to just tcpdump. # ruletype suspicious # { # type log # output log_tcpdump: suspicious.log # } # # EXAMPLE RULE FOR SUSPICIOUS RULETYPE: # suspicious $HOME_NET any -> $HOME_NET 6667 (msg:"Internal IRC Server";) I use this for some stupid traffic that sometimes preceeds a system crash on a problematic box. I just specify the full path of the file I want to create. Although I can see where this solution would not scale. --- Jon <warchild () spoofed org> wrote:
Greetings, I've poured over all the documentation and can't figure this out. I have a 1.9 build from 1/29/03 running on OpenBSD -current. I've got 6 different snort processes listening on different interfaces doing different things. For each process, the only thing that differs in the command below is the interface and the configuration file. In each config file, the only output plugin enabled is the database one: snort -i xl1 -CDdIey -c /share/snort/etc/snort.conf -g snort -u snort This gets me a nice database with all the alerts in a managable form, and a text version in /var/log/snort/<ip>/$foo, where $foo is something like TCP:44332-80. The problem comes when I want to do real analysis of an attack and an ASCII view of the packet is not sufficient. Say I wanted to submit a pcap file containing the attack, or do more analysis with some other package -- this isn't possible with ACSII. I know I can enable tcpdump/binary output, or use the -b option, but things get ugly pretty quick with that. Ideally, I'd like something that maintained the /var/log/snort/<ip>/ directory structure but gave me a pcap file instead of the ASCII. The name of said pcap file is kinda important too, but I'd be happy if it just logged to unique files for each protco/src-port/dst-port combo like ASCII does. Is this possible? If not, would a feature like this be valuable to the Snort community? Thanks in advance, -jon ------------------------------------------------------- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
===== ----------------------------------------------------------- Know yourself and know your enemy and you will never fear defeat. ----------------------------------------------------------- __________________________________________________ Do you Yahoo!? Yahoo! Shopping - Send Flowers for Valentine's Day http://shopping.yahoo.com ------------------------------------------------------- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- is it possible to get pcap logs in individual directories? Jon (Feb 11)
- Re: is it possible to get pcap logs in individual directories? twig les (Feb 11)