Snort mailing list archives
Re: id check returned root ?!?!
From: Erek Adams <erek () snort org>
Date: Sat, 28 Jun 2003 19:00:01 -0400 (EDT)
On Sat, 28 Jun 2003, Michael D. Schleif wrote: [...snip...]
Regarding ``logging to binary'', I am running snort from a debian package, and by default /etc/snort/snort.conf has this enabled: output log_tcpdump: tcpdump.log This creates these files: /var/log/snort/tcpdump.log._timestamp_
See below...
Examining these for the string `id=' does show me that every logged instance, in context, is a security related email and all instances of `id=' are really either `gid=' or `uid='. I am relieved about that ;> I was going to start a new thread, in this regard; but, your post gives me pause and I suspect that my new question is applicable to this same thread ;>
That's always been a noisy false positive rule. If you check the archives on the snort-sigs [0] list you'll see that there has been quit a lot of discussion over how to make it 'cleaner'.
What is the difference between the snort.conf log_tcpdump line and the commandline: -b ??? ``Log packets in a tcpdump(1) formatted file.'' This morning, I activated -b and now I am getting a new sequence of files: /var/log/snort/snort.log._timestamp_ Although, this log now contains a couple events, there is *NO* new activity in tcpdump.log._timestamp_ .
It's the same file format: pcap. pcap is simply a packet capture format where the entire packet is stored in a binary file. The only real difference is the file name. Now the reason that you didn't have another tcpdump.log.<stamp> file created is that when you use a command line option it _overrides_ any option in the snort.conf file. So only use one. :) Cheers! ----- Erek Adams "When things get weird, the weird turn pro." H.S. Thompson [0] http://marc.theaimsgroup.com/?l=snort-sigs&r=1&w=2 ------------------------------------------------------- This SF.Net email sponsored by: Free pre-built ASP.NET sites including Data Reports, E-commerce, Portals, and Forums are available now. Download today and enter to win an XBOX or Visual Studio .NET. http://aspnet.click-url.com/go/psa00100006ave/direct;at.asp_061203_01/01 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- id check returned root ?!?! Michael D. Schleif (Jun 28)
- Re: id check returned root ?!?! MH (Jun 28)
- Re: id check returned root ?!?! james (Jun 28)
- Re: id check returned root ?!?! Nicholas Delo (Jun 28)
- Re: id check returned root ?!?! Michael D. Schleif (Jun 28)
- Re: id check returned root ?!?! Frank Knobbe (Jun 28)
- Re: id check returned root ?!?! Michael D. Schleif (Jun 28)
- Re: id check returned root ?!?! Erek Adams (Jun 28)
- Re: id check returned root ?!?! Michael D. Schleif (Jun 28)
- Re: id check returned root ?!?! Erek Adams (Jun 28)
- Re: id check returned root ?!?! Michael D. Schleif (Jun 28)
- Re: id check returned root ?!?! MH (Jun 28)