[Snort-users] -b binary logging question
cmg at ...1935...
Tue Sep 3 05:22:04 EDT 2002
John Sage <jsage at ...2022...> writes:
> Having a discussion off-list about the -b binary logging switch, and
> suddenly I'm wondering...
> Does the -b binary logging switch *always* record all packets on the
No. One thing that is confusing about snort is that it supports many
> Or is the set of packets logged by -b changed when one starts to
> specify a snort.conf and thus check the packets against rules, whether
> alerts or passes?
Yes. There is a difference between with a snort.conf and without.
> "If you're on a high speed network or you want to log the packets into
> a more compact form for later analysis you should consider logging in
> "binary mode". Binary mode logs the packets in "tcpdump format" to a
> single binary file in the logging directory:e
I really should rewrite that portion. That only makes sense these
days if you've got a slow machine but fast disk IO. Binary mode for a
log format + fast mode instead of an ascii logging makes lots of
> ./snort -l ./log -b
> Note the command line changes here. We don't nee to specify a home
> network any longer because binary mode logs everything into a single
> file, which eliminates the need to tell it how to format the output
> directory structure."
> This implies that -b gets everything.
It does in that command line.
> OK: does it *always* get everything?
Chris Green <cmg at ...1935...>
Don't use a big word where a diminutive one will suffice.
More information about the Snort-users