cpw at ...440...
Wed Sep 13 19:07:44 EDT 2000
At the risk of ridicule, I wanted to do the following:
1. Just write alerts in tcpdump format to a file in the -l <directory>
and do not create <directory>/alert. [Still have a problem with "portscan".
I'd like it to put all its stuff in the same tcpdump file]
# snort -i $INTERFACE -TL$LOGNAME -TR -TC5000 -TM0 -d -b -A none -o \
-l LOG_DIR -c scripts/wy.rules -F scripts/wy.bpf
[ignore the -T flags, they allow me to talk dirty to my ringbuffered libpcap.
[except for the $LOGNAME, which allows me to change the default name of the
tcpdump file snort-<mmdd at ...449...>.log
2. Generate the ascii alert stuff out-o-band with snort, possibly on a different
piece of hardware using stdout on the raw data in $LOGNAME..
[so I came up with quick hack of OpenAlertFile in log.c to do an fdopen on
stdout. This is probably pretty bad code, cause it assumes stdout is on
[Now for the question. How could I have done this without modifying the code?
[Here is a sample run on the data created from step 1.
# snort -r $LOGFILE -N -c scripts/wy.rules -q -A stdout
Initializing Network Interface...
snaplen = 1514
Entering readback mode....
09/13-16:16:00.458547 [**] Tiny Fragments - Possible Hostile Activity [**] 10.1.2.97 -> 10.1.2.17
09/13-16:18:17.546041 [**] Tiny Fragments - Possible Hostile Activity [**] 10.1.2.97 -> 10.1.2.17
More information about the Snort-users