is it possible to get pcap logs in individual directories?

[Jon <warchild () spoofed org>]

Greetings,

I've poured over all the documentation and can't figure this out.

I have a 1.9 build from 1/29/03 running on OpenBSD -current.  I've got 6
different snort processes listening on different interfaces doing different
things.

For each process, the only thing that differs in the command below is the
interface and the configuration file.  In each config file, the only output
plugin enabled is the database one: 

snort -i xl1 -CDdIey -c /share/snort/etc/snort.conf -g snort -u snort

This gets me a nice database with all the alerts in a managable form, and a
text version in /var/log/snort/<ip>/$foo, where $foo is something like
TCP:44332-80.  

The problem comes when I want to do real analysis of an attack and an ASCII
view of the packet is not sufficient.  Say I wanted to submit a pcap file
containing the attack, or do more analysis with some other package -- this
isn't possible with ACSII.

I know I can enable tcpdump/binary output, or use the -b option, but things
get ugly pretty quick with that.  Ideally, I'd like something that
maintained the /var/log/snort/<ip>/ directory structure but gave me a pcap
file instead of the ASCII.  The name of said pcap file is kinda important
too, but I'd be happy if it just logged to unique files for each
protco/src-port/dst-port combo like ASCII does.

Is this possible?  If not, would a feature like this be valuable to the
Snort community?

Thanks in advance,

-jon




-------------------------------------------------------
This SF.NET email is sponsored by:
SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
http://www.vasoftware.com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users