[Snort-sigs] Snort-sigs Digest, Vol 76, Issue 14
wkitty42 at ...3507...
Tue Sep 11 15:29:42 EDT 2012
On Sep 11, 2012, at 1:24 PM, PR<oly562 at ...2420...> wrote:
> when i ran a script, bash simple with 2 lines just like i type them into
> the cmdline, it said ipvar 192.168.1.0/24 cant be something... i have
> since just ran the cmds one at a time, and i dont see that anymore, but
> it said failed or errored... something like that. sorry i missed it...
> maybe its in the logs? i cant read the logs as they are in unified
> format. i guess... lol....
> ls /var/log/snort/
> alert snort.log.1347321601 snort.log.1347374349
> snort.log.1347320873 snort.log.1347325626 snort.log.1347382370
> snort.log.1347321584 snort.log.1347346937 snort.log.1347382486
> snort.log.1347321592 snort.log.1347347097 snort.log.1347383400
> this is what i mean, i can't less them:
> less /var/log/snort/snort.log.1347320873
> "/var/log/snort/snort.log.1347320873" may be a binary file. See it
> your thoughts?
those files, while named snort.log.unixtimestamp, are not log files per se...
they are, IME, pcap files... the default name of "snort.log" really should be
changed in the default config file distributed by VRT and snort so that it more
properly indicates what those files are... i danced all around them for a long
long while until joel had me send on to him and he was able to determine that it
was a pcap file...
look in your snort.conf file for snort.log and let's see what area it is defined
in then we can be more sure if they are pcaps or something else...
so with that said, you use wireshark or similar pcap tools to read them IF they
are pcap files ;)
More information about the Snort-sigs