[Snort-users] id check returned root ?!?!

Erek Adams erek at ...950...
Sat Jun 28 16:01:03 EDT 2003

On Sat, 28 Jun 2003, Michael D. Schleif wrote:


> Regarding ``logging to binary'', I am running snort from a debian
> package, and by default /etc/snort/snort.conf has this enabled:
> 	output log_tcpdump: tcpdump.log
> This creates these files:
> 	/var/log/snort/tcpdump.log._timestamp_

See below...

> Examining these for the string `id=' does show me that every logged
> instance, in context, is a security related email and all instances of
> `id=' are really either `gid=' or `uid='.
> I am relieved about that ;>
> I was going to start a new thread, in this regard; but, your post gives
> me pause and I suspect that my new question is applicable to this same
> thread ;>

That's always been a noisy false positive rule.  If you check the archives
on the snort-sigs [0] list you'll see that there has been quit a lot of
discussion over how to make it 'cleaner'.

> What is the difference between the snort.conf log_tcpdump line and the
> commandline: -b ???
> 	``Log packets in a tcpdump(1) formatted file.''
> This morning, I activated -b and now I am getting a new sequence of
> files:
> 	/var/log/snort/snort.log._timestamp_
> Although, this log now contains a couple events, there is *NO* new
> activity in tcpdump.log._timestamp_ .

It's the same file format:  pcap.  pcap is simply a packet capture format
where the entire packet is stored in a binary file.  The only real
difference is the file name.

Now the reason that you didn't have another tcpdump.log.<stamp> file
created is that when you use a command line option it _overrides_ any
option in the snort.conf file.  So only use one.  :)


Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson

[0]	http://marc.theaimsgroup.com/?l=snort-sigs&r=1&w=2

More information about the Snort-users mailing list