[Snort-users] output log_tcpdump bulk.log
jsage at ...2022...
Wed Mar 6 06:06:04 EST 2002
If you've already got cron involved, write a shell or perl script that
runs from cron and renames the file..
Here's something I use (perl wizards: don't laugh :-)
# run from /etc/crontab by:
# 00 4 * * * root /bin/sh /var/log/snort/rotate_counts.plx
# minute 00, hour 04, * * * rotate counts, datestamp, touch new
$t = `date +%m%d%y%H%M`;
system("mv -f /var/log/snort/count_ports /var/log/snort/count_ports.$t");
system("mv -f /var/log/snort/count_probes /var/log/snort/count_probes.$t");
system("mv -f /var/log/snort/count_probes_sort /var/log/snort/count_probes_sort.$t");
# EOF rotate_counts.plx 09/29/01
Most people don't type their own logfiles; but, what do I care?
On Tue, Mar 05, 2002 at 11:15:11PM -0600, Bob Hillegas wrote:
> BACKGROUND... In my snort.conf I have added the following ruletype:
> ruletype bulk
> type log
> output log_tcpdump bulk.log
> This rule type is fed by a rule in local.rules:
> log ip any any <> any any (msg:"Capture all ip packets")
> PROBLEM... File is overwritten!!
> I'm using a dial-up, 10 minute inactivity time-out, cron to fetch mail every
> 30 minutes. This means it dials twice an hour. Since I get an new ip every
> time I dial in, I must kill -INT snort.pid each time the interface goes
> down and restart snort with
> var HOME_NET $ppp0_ADDRESS
> every time the interface is brought back up. That works fine.
> But, the above output statement creates filenames like 0305 at ...5215...
> When two are created the same hour, the second one overwrites the first.
> QUESTION... Is there a way of extending the naming to include minutes, or
> to enable appending to file?
> Bob Hillegas
> <bobhillegas at ...3133...>
More information about the Snort-users