[Snort-users] Documentation: log_tcpdump and maybe others.
jesus.couto at ...3830...
Thu Oct 25 04:24:09 EDT 2001
Writing just to suggest that the user manual should be updated to
explain that, if you use a full path in the name of the file of the
log_tcpdump plugin, it uses that exact file, without the "%m%d@%H%M-"
prefix, and that means your log file can be deleted, as snort unlinks
the file if he hasnt written anything to the file, so in the (unlikely?)
that you restart snort too soon and nothing gets logged, your previous
log is deleted.
The circumstances I discovered this are a bit embarassing... I'm trying
anything to MySQL, so I configured that pluging to log the alerts, but
then it was
also logging the packets using the "directory" text log style, so I
changed it to use log_tcpdump and redirected it to /dev/null; running
snort as root and restarting to test something left me without that
BTW, now I have it working, by running snort chrooted and under another
user and writting to a null device in the jail that it cant delete cause
the owner is root, but of course now I cant send a HUP to it and get it
restarted. Anyone knows of a cleaner way to achieve this?
Thanks in advance
Jesús Couto F.
More information about the Snort-users