[Snort-users] -b binary logging question

Erek Adams erek at ...577...
Tue Sep 3 00:53:03 EDT 2002


On Mon, 2 Sep 2002, John Sage wrote:

> Having a discussion off-list about the -b binary logging switch, and
> suddenly I'm wondering...
>
> Does the -b binary logging switch *always* record all packets on the
> interface?

No, not unless you are logging everything that comes over the wire.

> Or is the set of packets logged by -b changed when one starts to
> specify a snort.conf and thus check the packets against rules, whether
> alerts or passes?

Yes.  :)

> "If you're on a high speed network or you want to log the packets into
> a more compact form for later analysis you should consider logging in
> "binary mode". Binary mode logs the packets in "tcpdump format" to a
> single binary file in the logging directory:
>
> ./snort -l ./log -b
>
> Note the command line changes here. We don't need to specify a home
> network any longer because binary mode logs everything into a single
> file, which eliminates the need to tell it how to format the output
> directory structure."
>
>
> This implies that -b gets everything.
>
> OK: does it *always* get everything?

No, only if an alert, log, or <user_type> rule matched.

I think the 'everything' mentioned there is 'all the packet and alert info'.
Otherwise, you have alerts one place and packet dumps another.

You _do_ need to use a '-h' or a 'reference net' config directive when
obfuscating things.  Otherwise it won't know which side of the packet to
munge.

Cheers!

-----
Erek Adams
Nifty-Type-Guy
TheAdamsFamily.Net





More information about the Snort-users mailing list