[Snort-users] Logging

Subba Rao subba9 at ...530...
Sat May 19 15:15:07 EDT 2001


I have the default configuration file from snort tar ball and Maxvision's
rule set as well.

Before integrating Maxvision's ruleset, I was running Snort in daemon mode. Now
Snort is running via daemontools. Before letting daemontools manage Snort, I
have added Maxvision's rule set in my snortfull.conf

include /etc/snort-vision.conf

The current log files created are as follows:

-rw-------   1 root     root      2618536 May 15 14:46 alert
-rw-------   1 root     root       207121 May 15 18:13 log
-rw-------   1 root     root       361571 May 15 18:13 portscan.log
-rw-------   1 root     root         1362 May 15 14:46 snort-0515\@1445.log
-rw-------   1 root     root           24 May 15 14:50 snort-0515\@1447.log
-rw-------   1 root     root           24 May 15 14:50 snort-0515\@1450.log

While before daemontools, the log files were as follows:

drwx------   2 root     root         4096 May 15 17:06 12.119.178.6/
drwx------   2 root     root         4096 May 15 17:06 130.239.40.15/
drwx------   2 root     root         4096 Apr 25 17:31 134.24.32.214/
drwx------   2 root     root         4096 May 15 17:06 192.87.5.150/
drwx------   2 root     root         4096 Apr 25 17:31 207.88.250.10/
-rw-------   1 root     root      2618536 May 15 14:46 alert
-rw-------   1 root     root       207121 May 15 18:13 log
-rw-------   1 root     root       361571 May 15 18:13 portscan.log
-rw-------   1 root     root            0 May 15 14:51 snort-0515\@1451.log
-rw-------   1 root     root           24 May 15 15:01 snort-0515\@1500.log
-rw-------   1 root     root           24 May 15 15:03 snort-0515\@1502.log

I prefer to have previous logging technique, where alert are put out in the
offending hosts IP address directory.

How do I get that old style logging back?

TIA.
-- 

Subba Rao
subba9 at ...530...
http://members.home.net/subba9/

GPG public key ID 27FC9217




More information about the Snort-users mailing list