[Snort-users] STDOUT

Phil Wood cpw at ...440...
Wed Sep 13 19:07:44 EDT 2000


At the risk of ridicule, I wanted to do the following:

1. Just write alerts in tcpdump format to a file in the -l <directory>
   and do not create <directory>/alert.  [Still have a problem with "portscan".
   I'd like it to put all its stuff in the same tcpdump file]

   # snort -i $INTERFACE -TL$LOGNAME -TR -TC5000 -TM0 -d -b -A none -o \
      -l LOG_DIR -c scripts/wy.rules -F scripts/wy.bpf

   [ignore the -T flags, they allow me to talk dirty to my ringbuffered libpcap.

   [except for the $LOGNAME, which allows me to change the default name of the
    tcpdump file snort-<mmdd at ...449...>.log

2. Generate the ascii alert stuff out-o-band with snort, possibly on a different
   piece of hardware using stdout on the raw data in $LOGNAME..

   [so I came up with quick hack of OpenAlertFile in log.c to do an fdopen on
    stdout.  This is probably pretty bad code, cause it assumes stdout is on 
    fildes 1.
   
   [Now for the question. How could I have done this without modifying the code?
   
   [Here is a sample run on the data created from step 1.

   # snort -r $LOGFILE -N -c scripts/wy.rules -q -A stdout

   Initializing Network Interface...
   snaplen = 1514
   Entering readback mode....
   09/13-16:16:00.458547  [**] Tiny Fragments - Possible Hostile Activity [**] 10.1.2.97 -> 10.1.2.17
   09/13-16:18:17.546041  [**] Tiny Fragments - Possible Hostile Activity [**] 10.1.2.97 -> 10.1.2.17
   
   Exiting...
   
Thanks,

Phil



More information about the Snort-users mailing list