[Snort-users] IP Address subdirectories

John Sage jsage at ...2022...
Fri Nov 30 20:17:01 EST 2001


Phil:

/*wild guess follows*/


To quote the Snort User's Manual 1.8.3:

"./snort -dev -l ./log -h 192.168.1.0/24

"This rule tells Snort that you want to print out the data link and
TCP/IP headers as well as application data into the directory ./log,
and you want to log the packets relative to the 192.168.1.0 class
C network."

"All incoming packets will be recorded into subdirectories
of the log directory, with the directory names being based on the
address of the remote (non-192.168.1) host. Note that if both hosts
are on the home network, then they are recorded based upon the higher
of the two's port numbers, or in the case of a tie, the source address."


So I'm wondering if it's not working because because you have $HOME_NET 
*not* defined as a specific netblock.

 > var HOME_NET any


Try setting $HOME_NET to an appropriate netblock for your internal 
network in snort.conf, or try something like this

-h 192.168.1.0/24

on the command line and see what happens.

- John



Phil Lyons wrote:

> <br><br><br>Phil Lyons
> Voice/Fax: 630-839-6744
> Hi,
> 
> I see no subdirectories under /var/log/snort for IP addresses.
> 
> I am familiar w/the faq 3.9:
> 
> 3.9 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
> Q: Why are there no subdirectories under /var/log/snort for IP addresses?
> 
> A: It depends on how your snort configuration logs. If it logs in binary
>   format, you'll have to process the binary log in order to get cleartext
> 
> BUT - I am not to my knowledge logging binary - unless by using mysql to 
> log
> alerts that means binary?
> 
> OK, so I am obviously new to the snort world  :-/
> 
> I do have a cleartext alert logfile in /var/log/snort.
> 
> 
> My configuration is as follows:
> 
> 
> My command line to start:
> /usr/local/bin/snort -u root -g xxxxxxx -m 006 -de -D -i eth1 -l 
> /var/log/snort -c /etc/snort/snort.conf
> 
> My snort.conf lines:
> 
> ---->cut
> 
> var HOME_NET any
> output database: log, mysql, user=snort password=xxxxxxxx dbname=snort 
> host=xx.x.x.x
> 
> ---->cut
> 
> Using Version 1.8.1-RELEASE (Build 74) on Red Hat 7.0
> 
> I have recently added switches -e and -l /var/log/snort to try to get 
> back my IP subdirectory logging. No luck.
> 
> What must I do to get my IP address logging facility back?
> 
> Your help is appreciated,
> 
> Phil Lyons
> 







More information about the Snort-users mailing list