Snort mailing list archives

Re: Program that reads unified log format natively

From: Bamm Visscher <bamm () satx rr com>
Date: Fri, 24 Oct 2003 10:51:26 -0500

I run barnyard in continual mode (using a waldo file) and  snort with a limit on the size of the unified out files:

  output log_unified: filename snort.log, limit 128

Once my log_unified file (snort.log.########) gets to be 128MBs, snort wraps the logging around. So, that takes care of 
the "twice the disk space" problem. Use daemontools or similar to ensure that barnyard stays up and all should be good.

The snort guys HAD to use a proprietary format for this as the unified formats include snort ALERT information. 
Otherwise you are talking about doing tcpdump -r pcap.log -> snort -r pcap.log and from there you might as well use the 
standard spo_* as snort isn't going to 'drop' any packets in this config.

Bammkkkk

On Fri, Oct 24, 2003 at 09:54:14AM -0500, Williams Jon wrote:

This gets into one of the fundamental problems that I've had with barnyard in the first place.  Today, we use snort 
to log directly to libpcap-format files locally and send the data across the net to the DB server.  As I understand 
it, in order to have the same two functions (i.e. being able to use any libpcap-based tool to read the local files 
and data aggregation via the DB), I end up having to have nearly duplicate log files on my sensors, one in unified 
format that is then read and converted into libpcap.

I understand the Snort Team's motiviation behind externalizing the log processing, but by choosing a proprietary 
format for the first pass, they've either doubled the amount of disk space I need for logs or made a feature that I 
won't use.

Jon



-------------------------------------------------------
This SF.net email is sponsored by: The SF.net Donation Program.
Do you like what SourceForge.net is doing for the Open
Source Community?  Make a contribution, and help us add new
features and functionality. Click here: http://sourceforge.net/donate/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Program that reads unified log format natively Ben Nelson (Oct 22)
- <Possible follow-ups>
- RE: Program that reads unified log format natively Williams Jon (Oct 24)
  - RE: Program that reads unified log format natively Erek Adams (Oct 24)
    - Re: Program that reads unified log format natively Ben Nelson (Oct 29)
  - Re: Program that reads unified log format natively Bamm Visscher (Oct 25)
  - Re: Program that reads unified log format natively Chris Green (Oct 25)