[Snort-users] Logging not working
ed at ...3483...
Thu Sep 20 23:13:01 EDT 2001
At 01:30 AM Friday, 9/21/2001, Gordon Ewasiuk wrote -=>
> > >touch /var/log/snort/alert
> > >then restart snort.
> > Did just that - had no effect. It did create another set of snort.alert
> > and snort.log though - and I noticed that the older ones had something in
> > them...
>Got my wires crossed. I'm doing high-perf config which logs to
>/var/log/snort/alert in ASCII text.
high-perf config? I'll have to do some reading on that one....
> > 2096 Sep 20 21:44 0920 at ...3540...
> > 4096 Sep 20 21:08 0920 at ...3541...
> > 0 Sep 20 21:44 0920 at ...3543...
> > 0 Sep 20 21:44 0920 at ...3544...
> > But - when I tried to view them I get the following:
> > "0920 at ...3540..." may be a binary file. See it anyway?
> > Is this a database file????
>Appears so. You got a '-b' on your snort cmd line? that logs to a binary
>file. Think you gotta replay those like tcpdump. Logging to binary file
>is faster (says docs). To replay the binary file and view stuff:
>quoting from snort.org:
>To read this file back and break out the data in the familiar Snort
>format, just rerun Snort on the data file with the "-r" option and the
>other options you would normally use. For example:
>snort -d -c snort.conf -l <logdir> -h <homenets> -r <your logfile>
There is no '-b' in the command line. Could it be getting from somewhere
in the config file??
I tried to break out the data but get an error on that as well:
--== Initializing Snort ==--
TCPDUMP file reading mode.
Reading network traffic from "/var/log/snort/0920 at ...3545..." file.
ERROR => unable to open file "/var/log/snort/0920 at ...3545..." for
readback: archaic file format
Fatal Error, Quitting..
>Also, if you want to log to ascii text file, try:
><path to snort> -b -A fast -c <path to snort.conf>
Snort wouldn't start with this . Had to revert to <path to snort> -D -c
<path to snort.conf>
Scratching my head.......
Los Angeles, CA
. . . . . . . .
It is a funny thing about life: if you refuse to accept anything
but the best you very often get it. -William Somerset Maugham
More information about the Snort-users