Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Logging not working

From: Ed Kasky <ed () esson net>
Date: Thu, 20 Sep 2001 23:12:13 -0700
At 01:30 AM Friday, 9/21/2001, Gordon Ewasiuk wrote -=>

> >touch /var/log/snort/alert
> >then restart snort.
> Did just that - had no effect.  It did create another set of snort.alert
> and snort.log though - and I noticed that the older ones had something in
> them...
Got my wires crossed.  I'm doing high-perf config which logs to
/var/log/snort/alert in ASCII text.


high-perf config?  I'll have to do some reading on that one....


> 2096 Sep 20 21:44 0920@2009-snort.alert
> 4096 Sep 20 21:08 0920 () 2009-snort log
>
> 0 Sep 20 21:44 0920@2144-snort.alert
> 0 Sep 20 21:44 0920 () 2144-snort log
>
> But - when I tried to view them I get the following:
>
> "0920@2009-snort.alert" may be a binary file.  See it anyway?
> Is this a database file????

Appears so.  You got a '-b' on your snort cmd line?  that logs to a binary
file.  Think you gotta replay those like tcpdump.  Logging to binary file
is faster (says docs).  To replay the binary file and view stuff:

quoting from snort.org:

To read this file back and break out the data in the familiar Snort
format, just rerun Snort on the data file with the "-r" option and the
other options you would normally use. For example:

snort -d -c snort.conf -l <logdir> -h <homenets> -r <your logfile>

from http://www.snort.org/docs/writing_rules/chap1.html#tth_sEc1.4.2
There is no '-b' in the command line. Could it be getting from somewhere in the config file?? 

I tried to break out the data but get an error on that as well:

 --== Initializing Snort ==--
TCPDUMP file reading mode.
Reading network traffic from "/var/log/snort/0920@2012-snort.alert" file.
ERROR => unable to open file "/var/log/snort/0920@2012-snort.alert" for
readback: archaic file format
Fatal Error, Quitting..


Also, if you want to log to ascii text file, try:

<path to snort> -b -A fast -c <path to snort.conf>
Snort wouldn't start with this . Had to revert to <path to snort> -D -c <path to snort.conf> 

Scratching my head.......

Ed
~~




Ed Kasky
Los Angeles, CA
. . . . . . . .
It is a funny thing about life:  if you refuse to accept anything
but the best you very often get it. -William Somerset Maugham


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: