[Snort-users] id check returned root ?!?!
erek at ...950...
Sat Jun 28 16:01:03 EDT 2003
On Sat, 28 Jun 2003, Michael D. Schleif wrote:
> Regarding ``logging to binary'', I am running snort from a debian
> package, and by default /etc/snort/snort.conf has this enabled:
> output log_tcpdump: tcpdump.log
> This creates these files:
> Examining these for the string `id=' does show me that every logged
> instance, in context, is a security related email and all instances of
> `id=' are really either `gid=' or `uid='.
> I am relieved about that ;>
> I was going to start a new thread, in this regard; but, your post gives
> me pause and I suspect that my new question is applicable to this same
> thread ;>
That's always been a noisy false positive rule. If you check the archives
on the snort-sigs  list you'll see that there has been quit a lot of
discussion over how to make it 'cleaner'.
> What is the difference between the snort.conf log_tcpdump line and the
> commandline: -b ???
> ``Log packets in a tcpdump(1) formatted file.''
> This morning, I activated -b and now I am getting a new sequence of
> Although, this log now contains a couple events, there is *NO* new
> activity in tcpdump.log._timestamp_ .
It's the same file format: pcap. pcap is simply a packet capture format
where the entire packet is stored in a binary file. The only real
difference is the file name.
Now the reason that you didn't have another tcpdump.log.<stamp> file
created is that when you use a command line option it _overrides_ any
option in the snort.conf file. So only use one. :)
"When things get weird, the weird turn pro." H.S. Thompson
More information about the Snort-users