Snort mailing list archives
Re: Program that reads unified log format natively
From: Bamm Visscher <bamm () satx rr com>
Date: Fri, 24 Oct 2003 10:51:26 -0500
I run barnyard in continual mode (using a waldo file) and snort with a limit on the size of the unified out files: output log_unified: filename snort.log, limit 128 Once my log_unified file (snort.log.########) gets to be 128MBs, snort wraps the logging around. So, that takes care of the "twice the disk space" problem. Use daemontools or similar to ensure that barnyard stays up and all should be good. The snort guys HAD to use a proprietary format for this as the unified formats include snort ALERT information. Otherwise you are talking about doing tcpdump -r pcap.log -> snort -r pcap.log and from there you might as well use the standard spo_* as snort isn't going to 'drop' any packets in this config. Bammkkkk On Fri, Oct 24, 2003 at 09:54:14AM -0500, Williams Jon wrote:
This gets into one of the fundamental problems that I've had with barnyard in the first place. Today, we use snort to log directly to libpcap-format files locally and send the data across the net to the DB server. As I understand it, in order to have the same two functions (i.e. being able to use any libpcap-based tool to read the local files and data aggregation via the DB), I end up having to have nearly duplicate log files on my sensors, one in unified format that is then read and converted into libpcap. I understand the Snort Team's motiviation behind externalizing the log processing, but by choosing a proprietary format for the first pass, they've either doubled the amount of disk space I need for logs or made a feature that I won't use. Jon
------------------------------------------------------- This SF.net email is sponsored by: The SF.net Donation Program. Do you like what SourceForge.net is doing for the Open Source Community? Make a contribution, and help us add new features and functionality. Click here: http://sourceforge.net/donate/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Program that reads unified log format natively Ben Nelson (Oct 22)
- <Possible follow-ups>
- RE: Program that reads unified log format natively Williams Jon (Oct 24)
- RE: Program that reads unified log format natively Erek Adams (Oct 24)
- Re: Program that reads unified log format natively Ben Nelson (Oct 29)
- Re: Program that reads unified log format natively Bamm Visscher (Oct 25)
- Re: Program that reads unified log format natively Chris Green (Oct 25)
- RE: Program that reads unified log format natively Erek Adams (Oct 24)