FW: [Snort-users] Re: alert_full won't create subdirectories for ip addresses when mysql logging is enabled

Frank Knobbe fknobbe at ...652...
Wed Dec 4 09:39:02 EST 2002


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> -----Original Message-----
> From: Hicks, John [mailto:JHicks at ...5857...]
> Sent: Wednesday, December 04, 2002 10:54 AM
> 
> Frank,
> Out of curiosity, did you use it with 1.8??? I tried on and 
> old copy and got
> "*WARNING*: unknown output plugin "log_ascii", ignoring!". 
> However, on my
> 1.9 node, it works great (I *love* having nicely organized 
> packet files for
> analysis)
> 
> Definately a needed feature, imho.


John,

under Snort 1.8.7, I'm using the 'output alert_full: alert.ids' in
the snort.conf file and start Snort with the '-d' switch. That will
dump the application layer (packet data) in ascii into
subdirectories. The alert.ids file contains the summary, and if I
want details, I just open the detailed text file in the subdirectory
(I actually have a script that emails me all those on demand).

The 'output log_ascii' does not exist under 1.8.x. I'm not sure how
much different that is from the '-d' switch, but I can't imagine what
additional data it would log since you get the full packet in ascii
with '-d'.

Regards,
Frank




-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Privacy 6.5.8
Comment: PGP or S/MIME (X.509) encrypted email preferred.

iQA/AwUBPe49X8zYtOFvgXQfEQLgfgCeNXfoa/9V2eRY/+Pe3duJvOg9kw8AoNG3
Qcb+xOh4/cI+RMg4+Pdgh/fu
=f3aP
-----END PGP SIGNATURE-----





More information about the Snort-users mailing list