[Snort-users] Snort creating corrupt binary data logs?

Cloppert, Michael Michael.Cloppert at ...5884...
Fri Nov 29 07:32:04 EST 2002

Ladies & gents,

Has anyone seen the following behavior?
Running Snort 1.9 on promiscuous interface with binary logging on RedHat
LINUX 7.3 i386.  Log files created are /var/log/snort/snort.log.*.  Many
(probably up to 50%) of these binary data files are reported by BOTH tcpdump
AND snort (when re-run over the log files for post-mortem analysis) as
"pcap_loop: bogus savefile header."  I didn't notice this on 1.8.7 on the
same system, same setup... however at that time I wasn't paying as close
attention to my binary log files, so it may have been present then as well.
Some google-ing revealed one or two other cases like this, but most were on
different systems, or no solution could be found.

I'm using a "killproc snort" in my /etc/rc.d/init.d/snortd script, which is
how I believe the .rpm package set it up.  Any comments or help would be
greatly appreciated.  Thank you.

Michael Cloppert

More information about the Snort-users mailing list