[Snort-users] -b binary logging question
jsage at ...2022...
Tue Sep 3 07:31:02 EDT 2002
On Tue, Sep 03, 2002 at 08:25:54AM -0400, Chris Green wrote:
> John Sage <jsage at ...2022...> writes:
> > Having a discussion off-list about the -b binary logging switch, and
> > suddenly I'm wondering...
> > Does the -b binary logging switch *always* record all packets on the
> > interface?
> No. One thing that is confusing about snort is that it supports many
> different modes.
> > Or is the set of packets logged by -b changed when one starts to
> > specify a snort.conf and thus check the packets against rules, whether
> > alerts or passes?
> Yes. There is a difference between with a snort.conf and without.
> > "If you're on a high speed network or you want to log the packets into
> > a more compact form for later analysis you should consider logging in
> > "binary mode". Binary mode logs the packets in "tcpdump format" to a
> > single binary file in the logging directory:e
> I really should rewrite that portion. That only makes sense these
> days if you've got a slow machine but fast disk IO. Binary mode for a
> log format + fast mode instead of an ascii logging makes lots of
> sense though.\
> > ./snort -l ./log -b
> > Note the command line changes here. We don't nee to specify a home
> > network any longer because binary mode logs everything into a single
> > file, which eliminates the need to tell it how to format the output
> > directory structure."
> > This implies that -b gets everything.
> It does in that command line.
> > OK: does it *always* get everything?
> Chris Green <cmg at ...1935...>
> Don't use a big word where a diminutive one will suffice.
More information about the Snort-users