[Snort-sigs] Snort-sigs Digest, Vol 76, Issue 14

waldo kitty wkitty42 at ...3507...
Tue Sep 11 15:29:42 EDT 2012


On Sep 11, 2012, at 1:24 PM, PR<oly562 at ...2420...>  wrote:

> when i ran a script, bash simple with 2 lines just like i type them into
> the cmdline, it said ipvar 192.168.1.0/24 cant be something... i have
> since just ran the cmds one at a time, and i dont see that anymore, but
> it said failed or errored... something like that. sorry i missed it...
> maybe its in the logs? i cant read the logs as they are in unified
> format. i guess... lol....
>
> ls /var/log/snort/
> alert                 snort.log.1347321601  snort.log.1347374349
> snort.log.1347320873  snort.log.1347325626  snort.log.1347382370
> snort.log.1347321584  snort.log.1347346937  snort.log.1347382486
> snort.log.1347321592  snort.log.1347347097  snort.log.1347383400
>
> this is what i mean, i can't less them:
>
> less /var/log/snort/snort.log.1347320873
> "/var/log/snort/snort.log.1347320873" may be a binary file.  See it
> anyway?
>
> your thoughts?

those files, while named snort.log.unixtimestamp, are not log files per se... 
they are, IME, pcap files... the default name of "snort.log" really should be 
changed in the default config file distributed by VRT and snort so that it more 
properly indicates what those files are... i danced all around them for a long 
long while until joel had me send on to him and he was able to determine that it 
was a pcap file...

look in your snort.conf file for snort.log and let's see what area it is defined 
in then we can be more sure if they are pcaps or something else...

so with that said, you use wireshark or similar pcap tools to read them IF they 
are pcap files ;)




More information about the Snort-sigs mailing list