[Snort-users] Logging not working

Ed Kasky ed at ...3483...
Thu Sep 20 23:13:01 EDT 2001


At 01:30 AM Friday, 9/21/2001, Gordon Ewasiuk wrote -=>
> > >touch /var/log/snort/alert
> > >then restart snort.
> > Did just that - had no effect.  It did create another set of snort.alert
> > and snort.log though - and I noticed that the older ones had something in
> > them...
>Got my wires crossed.  I'm doing high-perf config which logs to
>/var/log/snort/alert in ASCII text.

high-perf config?  I'll have to do some reading on that one....

> > 2096 Sep 20 21:44 0920 at ...3540...
> > 4096 Sep 20 21:08 0920 at ...3541...
> >
> > 0 Sep 20 21:44 0920 at ...3543...
> > 0 Sep 20 21:44 0920 at ...3544...
> >
> > But - when I tried to view them I get the following:
> >
> > "0920 at ...3540..." may be a binary file.  See it anyway?
> > Is this a database file????
>
>Appears so.  You got a '-b' on your snort cmd line?  that logs to a binary
>file.  Think you gotta replay those like tcpdump.  Logging to binary file
>is faster (says docs).  To replay the binary file and view stuff:
>
>quoting from snort.org:
>
>To read this file back and break out the data in the familiar Snort
>format, just rerun Snort on the data file with the "-r" option and the
>other options you would normally use. For example:
>
>snort -d -c snort.conf -l <logdir> -h <homenets> -r <your logfile>
>
>from http://www.snort.org/docs/writing_rules/chap1.html#tth_sEc1.4.2

There is no '-b' in the command line.  Could it be getting from somewhere 
in the config file??

I tried to break out the data but get an error on that as well:

  --== Initializing Snort ==--
TCPDUMP file reading mode.
Reading network traffic from "/var/log/snort/0920 at ...3545..." file.
ERROR => unable to open file "/var/log/snort/0920 at ...3545..." for
readback: archaic file format
Fatal Error, Quitting..

>Also, if you want to log to ascii text file, try:
>
><path to snort> -b -A fast -c <path to snort.conf>

Snort wouldn't start with this .  Had to revert to <path to snort> -D -c 
<path to snort.conf>

Scratching my head.......

Ed
~~




Ed Kasky
Los Angeles, CA
. . . . . . . .
It is a funny thing about life:  if you refuse to accept anything
but the best you very often get it. -William Somerset Maugham





More information about the Snort-users mailing list