[Snort-users] output log_tcpdump bulk.log

Bob Hillegas bobhillegas at ...3133...
Tue Mar 5 21:17:02 EST 2002


BACKGROUND... In my snort.conf I have added the following ruletype:

ruletype bulk
{
  type log
  output log_tcpdump bulk.log
}

This rule type is fed by a rule in local.rules:

log ip any any <> any any (msg:"Capture all ip packets")

PROBLEM... File is overwritten!!

I'm using a dial-up, 10 minute inactivity time-out, cron to fetch mail every 
30 minutes. This means it dials twice an hour. Since I get an new ip every 
time I dial in, I must kill -INT snort.pid each time the interface goes 
down and restart snort with 

var HOME_NET $ppp0_ADDRESS

every time the interface is brought back up. That works fine.
But, the above output statement creates filenames like 0305 at ...5215... 
When two are created the same hour, the second one overwrites the first. 

QUESTION... Is there a way of extending the naming to include minutes, or 
to enable appending to file?

Thanks
-- 
-------------------------------------------------
Bob Hillegas           
<bobhillegas at ...3133...> 






More information about the Snort-users mailing list