[Snort-users] IP Address subdirectories
jsage at ...2022...
Fri Nov 30 20:17:01 EST 2001
/*wild guess follows*/
To quote the Snort User's Manual 1.8.3:
"./snort -dev -l ./log -h 192.168.1.0/24
"This rule tells Snort that you want to print out the data link and
TCP/IP headers as well as application data into the directory ./log,
and you want to log the packets relative to the 192.168.1.0 class
"All incoming packets will be recorded into subdirectories
of the log directory, with the directory names being based on the
address of the remote (non-192.168.1) host. Note that if both hosts
are on the home network, then they are recorded based upon the higher
of the two's port numbers, or in the case of a tie, the source address."
So I'm wondering if it's not working because because you have $HOME_NET
*not* defined as a specific netblock.
> var HOME_NET any
Try setting $HOME_NET to an appropriate netblock for your internal
network in snort.conf, or try something like this
on the command line and see what happens.
Phil Lyons wrote:
> <br><br><br>Phil Lyons
> Voice/Fax: 630-839-6744
> I see no subdirectories under /var/log/snort for IP addresses.
> I am familiar w/the faq 3.9:
> 3.9 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
> Q: Why are there no subdirectories under /var/log/snort for IP addresses?
> A: It depends on how your snort configuration logs. If it logs in binary
> format, you'll have to process the binary log in order to get cleartext
> BUT - I am not to my knowledge logging binary - unless by using mysql to
> alerts that means binary?
> OK, so I am obviously new to the snort world :-/
> I do have a cleartext alert logfile in /var/log/snort.
> My configuration is as follows:
> My command line to start:
> /usr/local/bin/snort -u root -g xxxxxxx -m 006 -de -D -i eth1 -l
> /var/log/snort -c /etc/snort/snort.conf
> My snort.conf lines:
> var HOME_NET any
> output database: log, mysql, user=snort password=xxxxxxxx dbname=snort
> Using Version 1.8.1-RELEASE (Build 74) on Red Hat 7.0
> I have recently added switches -e and -l /var/log/snort to try to get
> back my IP subdirectory logging. No luck.
> What must I do to get my IP address logging facility back?
> Your help is appreciated,
> Phil Lyons
More information about the Snort-users