Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: id check returned root ?!?!

From: Erek Adams <erek () snort org>
Date: Sat, 28 Jun 2003 19:00:01 -0400 (EDT)
On Sat, 28 Jun 2003, Michael D. Schleif wrote:

[...snip...]


Regarding ``logging to binary'', I am running snort from a debian
package, and by default /etc/snort/snort.conf has this enabled:

      output log_tcpdump: tcpdump.log

This creates these files:

      /var/log/snort/tcpdump.log._timestamp_


See below...


Examining these for the string `id=' does show me that every logged
instance, in context, is a security related email and all instances of
`id=' are really either `gid=' or `uid='.

I am relieved about that ;>

I was going to start a new thread, in this regard; but, your post gives
me pause and I suspect that my new question is applicable to this same
thread ;>


That's always been a noisy false positive rule.  If you check the archives
on the snort-sigs [0] list you'll see that there has been quit a lot of
discussion over how to make it 'cleaner'.


What is the difference between the snort.conf log_tcpdump line and the
commandline: -b ???

      ``Log packets in a tcpdump(1) formatted file.''

This morning, I activated -b and now I am getting a new sequence of
files:

      /var/log/snort/snort.log._timestamp_

Although, this log now contains a couple events, there is *NO* new
activity in tcpdump.log._timestamp_ .


It's the same file format:  pcap.  pcap is simply a packet capture format
where the entire packet is stored in a binary file.  The only real
difference is the file name.

Now the reason that you didn't have another tcpdump.log.<stamp> file
created is that when you use a command line option it _overrides_ any
option in the snort.conf file.  So only use one.  :)

Cheers!

-----
Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson


[0]     http://marc.theaimsgroup.com/?l=snort-sigs&r=1&w=2


-------------------------------------------------------
This SF.Net email sponsored by: Free pre-built ASP.NET sites including
Data Reports, E-commerce, Portals, and Forums are available now.
Download today and enter to win an XBOX or Visual Studio .NET.
http://aspnet.click-url.com/go/psa00100006ave/direct;at.asp_061203_01/01
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: