[Snort-users] -b binary logging question

John Sage jsage at ...2022...
Tue Sep 3 07:31:02 EDT 2002


Erek, Chris:

Thanks, guys..

- John


On Tue, Sep 03, 2002 at 08:25:54AM -0400, Chris Green wrote:
> John Sage <jsage at ...2022...> writes:
> 
> > Having a discussion off-list about the -b binary logging switch, and
> > suddenly I'm wondering...
> >
> > Does the -b binary logging switch *always* record all packets on the
> > interface?
> 
> No.  One thing that is confusing about snort is that it supports many
> different modes.
> 
> >
> > Or is the set of packets logged by -b changed when one starts to
> > specify a snort.conf and thus check the packets against rules, whether
> > alerts or passes?
> 
> Yes.  There is a difference between with a snort.conf and without.
> 
> >
> >
> > "If you're on a high speed network or you want to log the packets into
> > a more compact form for later analysis you should consider logging in
> > "binary mode". Binary mode logs the packets in "tcpdump format" to a
> > single binary file in the logging directory:e
> 
> I really should rewrite that portion.  That only makes sense these
> days if you've got a slow machine but fast disk IO.  Binary mode for a
> log format + fast mode instead of an ascii logging  makes lots of
> sense though.\
> 
> >
> > ./snort -l ./log -b
> >
> > Note the command line changes here. We don't nee to specify a home
> > network any longer because binary mode logs everything into a single
> > file, which eliminates the need to tell it how to format the output
> > directory structure."
> >
> > This implies that -b gets everything.
> >
> 
> It does in that command line.
> 
> > OK: does it *always* get everything?
> >
> 
> Nope.
> -- 
> Chris Green <cmg at ...1935...>
> Don't use a big word where a diminutive one will suffice.




More information about the Snort-users mailing list