[Snort-users] alert_full AND log_tcpdump

Nerijus Krukauskas nkrukauskas at ...10060...
Thu Sep 11 04:38:24 EDT 2003

   Is it possible to get SNORT to log packets in both alert_full 
(alert log file with packet files in directories per IP address) and 
log_tcpdump (binary tcpdump format) modes?

   The Snort manual says: "When multiple plugins of the same type 
(log, alert) are specified, they are stacked and called in sequence 
when an event occurs." Am I reading it wrong or am doing something 
wrong in snort.conf file?

   In snort.conf I have specified:
output alert_full: alert
output log_tcpdump: tcpdump.log

   But then snort logs alerts in file "alert" and packets in 
"tcpdump.log". If I comment out tcpdump.log from snort.conf then I get 
packets in per IP directories. But I need them both...  :(

   My snort command line: snort -o -e -c snort.conf -X -d -y -D -i eth0

NK @ Vilnius

P.S. Sorry if I haven't been clear enough. English is not my native 
(as one can guess from my name)...  :)

More information about the Snort-users mailing list