[Snort-users] -b binary logging question
erek at ...577...
Tue Sep 3 00:53:03 EDT 2002
On Mon, 2 Sep 2002, John Sage wrote:
> Having a discussion off-list about the -b binary logging switch, and
> suddenly I'm wondering...
> Does the -b binary logging switch *always* record all packets on the
No, not unless you are logging everything that comes over the wire.
> Or is the set of packets logged by -b changed when one starts to
> specify a snort.conf and thus check the packets against rules, whether
> alerts or passes?
> "If you're on a high speed network or you want to log the packets into
> a more compact form for later analysis you should consider logging in
> "binary mode". Binary mode logs the packets in "tcpdump format" to a
> single binary file in the logging directory:
> ./snort -l ./log -b
> Note the command line changes here. We don't need to specify a home
> network any longer because binary mode logs everything into a single
> file, which eliminates the need to tell it how to format the output
> directory structure."
> This implies that -b gets everything.
> OK: does it *always* get everything?
No, only if an alert, log, or <user_type> rule matched.
I think the 'everything' mentioned there is 'all the packet and alert info'.
Otherwise, you have alerts one place and packet dumps another.
You _do_ need to use a '-h' or a 'reference net' config directive when
obfuscating things. Otherwise it won't know which side of the packet to
More information about the Snort-users