Question about 'logto' and 'log_tcpdump'

[Lin.Zhong () Dartmouth EDU (Lin Zhong)]

I see in the snort manual that there is a 'logto' option for the rules,    logto: filename

Does it log all the traffic triger the specific alert to this file in a binary mode? Can I still use threshold to 
control that it only log part of the traffic?

And I have tried to defined a new version of alert as follow

ruletype myalert{
         type alert
         output alert_CSV: new.alerts default
         output log_tcpdump: log.packet
}

I have changed the rule correspondingly. 

But when I run snort, it only give me the new.alerts log and there is no log.packet file. I tried log_unified too, but 
it doesn't work either.

Can anybody telll me why? And what I should do to make it work?

Many thanks,

Lin


-------------------------------------------------------
This SF.Net email is sponsored by Sleepycat Software
Learn developer strategies Cisco, Motorola, Ericsson & Lucent use to
deliver higher performing products faster, at low TCO.
http://www.sleepycat.com/telcomwpreg.php?From=osdnemail3
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users