[Snort-users] Please mommy... make the bad man stop!

Rob Hughes rob at ...1932...
Wed Mar 6 11:26:25 EST 2002


On Wed, 2002-03-06 at 13:02, Erek Adams wrote:
> On Wed, 6 Mar 2002, Erek Adams wrote:
> 
> > On 6 Mar 2002, Rob Hughes wrote:
> >
> > > Here's the deal. Until some cvs update a few months ago, snort happily
> > > logged /var/log/snort/snort.log. Then it started prepending a time/date
> > > stamp onto the files, neatly removing my ability to do log rotate jobs
> > > since the files now have unpredictable names. This is the only logging
> > > entry:
> > >
> > > output log_tcpdump: snort.log
> > >
> > > I'm currently running 1.8.4-beta2 on FreeBSD 4.5-STABLE. I've looked
> > > through the code, but can't figure it why its doing this.
> > >
> > > HALP! This is driving me nuts.
> >
> > Whoopsy, I hit send before I was ready!  :)
> >
> > Lemme dig thru the code and see what comes up.  I'm headed to bed now.  :)
> 
> Note to self:  Don't try to write email whilst sleep deprived.
> 
> Rob,
> 
> [line numbers might be off slightly since this is a CVS version...]
> 
> 	If you have a look in log.c at about line 2549, you'll see the start
> of InitBinLogFile.  Going down into that a bit, you'll see a some lines (2560
> and 2581) that look like:
> 
>   strftime(timebuf, TIMEBUF_SIZE-1, "%m%d@%H%M", loc_time);
> 
> Later in the code you see a line (2588-2589) that looks like:
> 
>   snprintf(logdir, sizeof(logdir) -1,  "%s%s/snort-%s.log",
>        chrootdir == NULL ? "" : chrootdir, pv.log_dir, time buf);
> 
> That's where you'd need to change it.
> 
> ***WARNING***  Doing this can be bad.  That means you now have a one off
> version of snort and you'll need to make the same mods to each new version
> that comes out.  I would suggest a simpler approach:  Modify your script.
> Have it scan the directory for any *snort*.log files and then stop snort, move
> the files somewhere else with another name and then restart snort.  This would
> mean that your log dir shouldn't ever have more than one .log file in it.
> 
> 	Anyways--Hope this helps!
> 
> -----
> Erek Adams
> Nifty-Type-Guy
> TheAdamsFamily.Net
> 

That's what I thought might be causing it, but I don't have old versions
of the code to compare to. Nuts. I've asked Martin to restore the old
way of writing the snort.log, or to add an option, since I know a new
log will get generated every day due to another log file rotation job I
have. In addition, log files will get created if I have to reboot the
machine due to running make world or something on it. Welp, thanks for
your help. At least I learned something. And it looks like its time to
write a new script.

Rob





More information about the Snort-users mailing list