[Snort-users] ASCII logging

Bill McCarty bmccarty at ...5196...
Mon Jun 24 15:28:03 EDT 2002


Hi all,

I've been successfully using snort for several months. But, I have yet to 
really understand the command-line and configuration-file options related 
to logging. In particular, I want snort to generate alerts and perform 
binary logging to a specified file and directory. But, it persists on 
generating unwanted ASCII logs, which waste disc space and CPU cycles.

My snort invocation is:

daemon /usr/local/bin/snort \
  -D \
  -b \
  -N \
  -c $CDIR \
  -i $INTERFACE \
  -l $DIRBASE/$WEEK/$DATE \
  -L $FILE \
  -u $USER

And, the relevant contents of snort's configuration file are:

output alert_syslog: LOG_LOCAL1 LOG_INFO
output alert_full: /space1/snort/snort-full
output alert_fast: /space1/snort/snort-fast

log tcp any any <> $HOME_NET any (msg: "Unmatched TCP";session: printable;)
log udp any !8116 <> $HOME_NET any (msg: "Unmatched UDP";session: 
printable;)
log icmp any any <> $HOME_NET any (msg: "Unmatched ICMP";session: 
printable;)

I thought that the -b flag would dispense with ASCII logging. What am I 
missing?

I realize that having both full and fast alerts is not ideal. But, for 
several reasons I find it convenient; so, I prefer to continue generating 
the redundant alerts along with the system log entries. It's only the ASCII 
logs I want to ditch.

This is snort 1.8.6 (Build 105), under Red Hat Linux 7.2, installed via 
tarball rather than RPM.

Thanks!

---------------------------------------------------
Bill McCarty




More information about the Snort-users mailing list