[Snort-users] How to log as ASCII?
erek at ...950...
Wed May 14 08:38:08 EDT 2003
On Wed, 14 May 2003 peter.grosse-hering at ...9150... wrote:
> How can I log into a plain ASCII files in the same format as alert_full? We
> also want to avoid those subdirectory structures, but need just a plain
> ASCII file where all "Log"-rules log into...
Well... I'm not quite sure what you mean. Full and Fast alert modes both
_are_ ASCII files.
If you want the packet decoded and the payload listed in the alert files,
as you have in the <log_dir>/<IP_Address>/<whatever> files, you can't.
I think a viable option would be to log in binary (pcap), then post
process the file to examine the packet and the alert. Once you have a
pcap file, do something like:
snort -dvr <file> |more
And you'll have the full packet dump as in the directories, but without
all the files and subdirs.
"When things get weird, the weird turn pro." H.S. Thompson
More information about the Snort-users