[Snort-users] Syntax question

Martin Roesch roesch at ...1935...
Mon Jan 6 08:07:05 EST 2003


The naming scheme uses a filename.timestamp mechanism to ensure that every
new file has a unique filename (so you don't stomp old log files by
accident).  

If you want to get rid of the timestamp suffix on the filename, just edit it
out on lines 257 and 260 of spo_log_tcpdump.c.

     -Marty


On 1/5/03 11:07 PM, "Papa Mike" <online_puppy at ...4554...> wrote:

> --- Dustin Decker <dustind at ...7902...> wrote: >
> Hello all,
>> I'm new to the list, and using Snort 1.9.0 (Build
>> 209). 
>> 
>> I'm logging to a binary file in
>> /var/log/snort_dumps, and later replaying
>> them into my DB by hand using -r flag.  I'm getting
>> ready to make this
>> somewhat automated, and have hit a minor snag.  I
>> use the -L flag with
>> snort to indicate I wish the binary file be named
>> based on the cheezy
>> variable you see displayed below:
>> 
>> [snippet from my shell script]
>> STAMP=`/bin/date +%m%d%y-%H`
>> 
n:wq
>> /usr/sbin/snort -b -L /var/log/snort_dumps/$STAMP -i
>> eth0 -c \
>> /etc/snort/snort.conf
>> 
>> This is suiting my purposes quite well, with one
>> exception.  I get file
>> names such as this:    010403-09.1041693435
>> 
>> Any recommendations on getting rid of the additional
>> ".1041693435" portion
>> of the file name?
> 
> Funny.  I'm running 1.8.6 and my default tracefile
> naming convention is "snort-MMdd at ...4010...".  That's
> without using the '-L' switch.  When you do, you
> should just specify the filename, not the path.  Give
> the path with the '-l' switch.
> 
> ______________________________________________________________________
> Post your free ad now! http://personals.yahoo.ca
> 
> 
> -------------------------------------------------------
> This sf.net email is sponsored by:ThinkGeek
> Welcome to geek heaven.
> http://thinkgeek.com/sf
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 
> 

-- 
Martin Roesch - Founder/CTO, Sourcefire Inc. - (410)290-1616
Sourcefire: Professional Snort Sensor and Management Console appliances
roesch at ...1935... - http://www.sourcefire.com
Snort: Open Source Network IDS - http://www.snort.org





More information about the Snort-users mailing list