[Snort-users] Documentation: log_tcpdump and maybe others.

Jesus Couto jesus.couto at ...3830...
Thu Oct 25 04:24:09 EDT 2001


Writing just to suggest that the user manual should be updated to
explain that, if you use a full path in the name of the file of the
log_tcpdump plugin, it uses that exact file, without the "%m%d@%H%M-"
prefix, and that means your log file can be deleted, as snort unlinks
the file if he hasnt written anything to the file, so in the (unlikely?) 
that you restart snort too soon and nothing gets logged, your previous
log is deleted.

The circumstances I discovered this are a bit embarassing... I'm trying 
to log
anything to MySQL, so I configured that pluging to log the alerts, but 
then it was
also logging the packets using the "directory" text log style, so I 
changed it to use log_tcpdump and redirected it to /dev/null; running 
snort as root and restarting to test something left me without that 
device :-(

BTW, now I have it working, by running snort chrooted and under another 
user and writting to a null device in the jail that it cant delete cause 
the owner is root, but of course now I cant send a HUP to it and get it 
restarted. Anyone knows of a cleaner way to achieve this?

Thanks in advance

Jesús Couto F.

More information about the Snort-users mailing list