[Snort-users] Logging query.

Scott A. McIntyre scott at ...1050...
Fri Jan 5 02:30:37 EST 2001


Hi,

I was thinking about the issue of maintaining historical data from Snort
and thought about a potential issue.  At the moment, there's a
/var/log/snort/ip.address/ structure, which is superb, but, within that
there is the "UDP:64840-33447" type file structure, which, also, is just
fine, unless by some freak occurrence (or design, given how some tools
work now) I happen to get 50,000 of those types of probes (UDP from port
X to port Y) in which case I'm assuming snort will merely tack it on to
the end of the already exisiting file (but I have not verified this).

Sooo, the question is, could this, potentially, be more useful as a
customized option specified somewhere in the configuration file (or
command line).

log-filename:  YYYYMMDD-%proto:%srcport-%dstport

Or some such.

I can (and probably will) automate some of this with other scripts, but
it would save time for historical tracking of it could be somehow
integrated to the fileformat earlier on.

Thoughts?

Scott






More information about the Snort-users mailing list