Snort mailing list archives
Re: Snort3 generating multiple alert files
From: Russ <rucombs () cisco com>
Date: Mon, 16 May 2016 13:53:52 -0400
`snort --help-config alert_full` will show:bool alert_full.file = false: output to alert_full.txt instead of stdout
int alert_full.limit = 0: set limit (0 is unlimited) { 0: }enum alert_full.units = B: limit is in bytes | KB | MB | GB { B | K | M | G }
So the default limit is zero, meaning unlimited, meaning you have hit upon a bug. We will get that fixed. In the meantime, you can set an explicit limit with:
alert_full = { file = true, limit = 12345678 }Note that since you already have alert_full in your conf, you can add this to your command line:
--lua "alert_full.limit = 12345678"Also, just to clarify earlier email, you can add log_pcap to your conf to get pcaps along with fast alerts, but you will have to line up time stamps to associate them.
Thanks Russ On 5/16/16 10:09 AM, João Soares wrote:
Greetings,Thank you for your reply and suggestions! As for the -z option, I'm currently doing load balancing externally as you said, I look forward for that internal load balancing :)At the moment we're using a network tap to mirror lots of traffic, including wireless frames, that is why I was using the -w option. Thank you for your clarification.-A full goes to console by default you're right, but I have a custom .lua file withalert_full = {file = true}Which makes it go to a alert_full.txt file. My main issue is that, it is constantly creating new files, when alert_full.txt reaches ~4Kb. For example, it makes a new alert_full.txt.1483937582 and so on. This one I would really like to fix.Best regards and thank you for your time On 05/16/2016 01:43 PM, Russ wrote:On 5/15/16 10:51 PM, João Soares wrote:Greetings, I'm trying to learn and adapt to snort3 and it's not being easy. I'm running snort3 with this command:snort -l /root/snort-logs -A full -i eth0 -c etc/snort/snort.lua -D -z 0 -d -e -w -X -ySome comments on your options:-z 0 will only help when you have multiple input sources or many pcaps since, at present, load balancing must be done externally. Internal load balancing is coming up.-w applies to wireless and likely doesn't actually go with your eth0 interface (usually wired). However, since you had that combination, I double checked and it appears that -w is no longer attached to any functionality and will likely be deleted.Which options are giving you 4K logs? -A full goes to console by default.I have a two questions and I would really appreciate it if you guys could help me out:*1 *- Why is snort3 making a new alert file each time the original file reaches approximately 4kb? How can I change that?-A and -L are for two different run modes. Use -A with -c to log intrusion events. Use -L to just log all packets, that is, for sniffer mode. When used together on the command line, the last one wins.*2* - How can I make snort3 log both alerts and pcaps of intrusions, I can't get it to work, I have tried combining both -A and -L options but I can only get one of them to be logged.Since you want to log intrusion events, you need a logger that captures packets along with the events. I'm guessing that you want a separate pcap but there is no way to do that at present. You can use -A u2 (short for -A unified2) and that will log the event followed by the triggering packet in the same file. You can then use included u2boat utility to dump a pcap from the u2 log.Did you look at the usage section? There are several examples there. If anything there is unclear, let us know. We will be adding more than just reference material soon.I'm sorry if these are really obvious questions, but I've read the manual and I can't seem to find the answers.Best regards and thank you for your time! -- João Soares SIC - Serviço de Informática e Comunicações https://helpdesk.dei.uc.pt Department of Informatics Engineering Faculty of Science and Technology University of Coimbra ------------------------------------------------------------------------------ Mobile security can be enabling, not merely restricting. Employees who bring their own devices (BYOD) to work are irked by the imposition of MDM restrictions. Mobile Device Manager Plus allows you to control only the apps on BYO-devices by containerizing them, leaving personal data untouched! https://ad.doubleclick.net/ddm/clk/304595813;131938128;j _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visithttp://blog.snort.org to stay current on all the latest Snort news!-- João Soares SIC - Serviço de Informática e Comunicações https://helpdesk.dei.uc.pt Department of Informatics Engineering Faculty of Science and Technology University of Coimbra
------------------------------------------------------------------------------ Mobile security can be enabling, not merely restricting. Employees who bring their own devices (BYOD) to work are irked by the imposition of MDM restrictions. Mobile Device Manager Plus allows you to control only the apps on BYO-devices by containerizing them, leaving personal data untouched! https://ad.doubleclick.net/ddm/clk/304595813;131938128;j
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Snort3 generating multiple alert files João Soares (May 15)
- Re: Snort3 generating multiple alert files Russ (May 16)
- Re: Snort3 generating multiple alert files João Soares (May 16)
- Re: Snort3 generating multiple alert files Russ (May 16)
- Re: Snort3 generating multiple alert files João Soares (May 16)
- Re: Snort3 generating multiple alert files Russ (May 16)
- Re: Snort3 generating multiple alert files João Soares (May 16)
- Re: Snort3 generating multiple alert files Ronald Hill (May 17)
- Re: Snort3 generating multiple alert files Al Lewis (allewi) (May 17)
- Re: Snort3 generating multiple alert files Russ (May 17)
- Re: Snort3 generating multiple alert files Noah Dietrich (May 18)
- Re: Snort3 generating multiple alert files João Soares (May 16)
- Re: Snort3 generating multiple alert files Russ (May 16)