[Snort-users] Please mommy... make the bad man stop!

Erek Adams erek at ...577...
Wed Mar 6 11:05:00 EST 2002

On Wed, 6 Mar 2002, Erek Adams wrote:

> On 6 Mar 2002, Rob Hughes wrote:
> > Here's the deal. Until some cvs update a few months ago, snort happily
> > logged /var/log/snort/snort.log. Then it started prepending a time/date
> > stamp onto the files, neatly removing my ability to do log rotate jobs
> > since the files now have unpredictable names. This is the only logging
> > entry:
> >
> > output log_tcpdump: snort.log
> >
> > I'm currently running 1.8.4-beta2 on FreeBSD 4.5-STABLE. I've looked
> > through the code, but can't figure it why its doing this.
> >
> > HALP! This is driving me nuts.
> Whoopsy, I hit send before I was ready!  :)
> Lemme dig thru the code and see what comes up.  I'm headed to bed now.  :)

Note to self:  Don't try to write email whilst sleep deprived.


[line numbers might be off slightly since this is a CVS version...]

	If you have a look in log.c at about line 2549, you'll see the start
of InitBinLogFile.  Going down into that a bit, you'll see a some lines (2560
and 2581) that look like:

  strftime(timebuf, TIMEBUF_SIZE-1, "%m%d@%H%M", loc_time);

Later in the code you see a line (2588-2589) that looks like:

  snprintf(logdir, sizeof(logdir) -1,  "%s%s/snort-%s.log",
       chrootdir == NULL ? "" : chrootdir, pv.log_dir, time buf);

That's where you'd need to change it.

***WARNING***  Doing this can be bad.  That means you now have a one off
version of snort and you'll need to make the same mods to each new version
that comes out.  I would suggest a simpler approach:  Modify your script.
Have it scan the directory for any *snort*.log files and then stop snort, move
the files somewhere else with another name and then restart snort.  This would
mean that your log dir shouldn't ever have more than one .log file in it.

	Anyways--Hope this helps!

Erek Adams

More information about the Snort-users mailing list