Snort mailing list archives
Re: Where's Waldo?
From: AllowOverride <allowoverride () gmail com>
Date: Wed, 10 Oct 2012 14:47:55 -0700
yep pcap would be a better filename, agreed. thanks for your input On Wed, 2012-10-10 at 15:16 -0400, waldo kitty wrote:
On 10/9/2012 11:29, AllowOverride wrote:I was doing some research, like i usually do, and i found this option, but, there is not much said about in the Readme's enclosed with Barnyard2 tar. -f <base> Use <base> as the base filename pattern what do they mean by base filename pattern?snort.log would be one example since snort then outputs snort.log.123456789 snort.log.234567890 snort.log.345678901 styled filenames... another pattern might be something like YYYYMMDD-foobar.log where the YYYY is the four digit year, MM is the two digit month, and DD is the two digit day of the month... of course, this also depends on the tool needing these patterns and what it can support... one also must necessarily be careful with these log file names... in my setup, files such at those are pcap files... if i also want unified2 output, i have to specify another log file name to ensure that i do not overwrite or place data in the wrong file... NOTE: IM(H)O, snort/VRT should have named the above default snort.log output as snort.pcap to _truly_ denote what these files are... this on a snort installation with *NO* "output" plugins defined... it took a while before someone, joel i think, was finally able to tell me what those files actually were... before then, i had been processing them with a few homegrown scripts to pull data from them that i had figured out and wanted to report on... NOTE2: i see in my old snort.conf that the unified2 output is configured with a file name of merged.log... not having looked at barnyard2 or any other "IDS/IPS controller" stuffs, i can only hope that they allow for these file names to be custom set for each install... additionally, i do not know (yet) if this file results in files similar to the above snort.log.xxxxxxxxx format or if it is simply one big log file that remains until it is rotated out... ------------------------------------------------------------------------------ Don't let slow site performance ruin your business. Deploy New Relic APM Deploy New Relic app performance management and know exactly what is happening inside your Ruby, Python, PHP, Java, and .NET app Try New Relic at no cost today and get our sweet Data Nerd shirt too! http://p.sf.net/sfu/newrelic-dev2dev _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ Don't let slow site performance ruin your business. Deploy New Relic APM Deploy New Relic app performance management and know exactly what is happening inside your Ruby, Python, PHP, Java, and .NET app Try New Relic at no cost today and get our sweet Data Nerd shirt too! http://p.sf.net/sfu/newrelic-dev2dev _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Where's Waldo? AllowOverride (Oct 08)
- Re: Where's Waldo? beenph (Oct 08)
- Re: Where's Waldo? AllowOverride (Oct 09)
- Re: Where's Waldo? Peter Bates (Oct 09)
- Re: Where's Waldo? waldo kitty (Oct 10)
- Re: Where's Waldo? AllowOverride (Oct 10)
- Re: Where's Waldo? AllowOverride (Oct 10)
- Re: Where's Waldo? AllowOverride (Oct 09)
- Re: Where's Waldo? AllowOverride (Oct 09)
- Re: Where's Waldo? Paul Schmehl (Oct 09)
- Re: Where's Waldo? AllowOverride (Oct 09)
- Re: Where's Waldo? Paul Schmehl (Oct 09)
- Re: Where's Waldo? AllowOverride (Oct 09)
- Re: Where's Waldo? Paul Schmehl (Oct 09)
- Re: Where's Waldo? AllowOverride (Oct 10)
- Re: Where's Waldo? waldo kitty (Oct 10)
- Re: Where's Waldo? AllowOverride (Oct 10)
- Re: Where's Waldo? beenph (Oct 08)