[Snort-users] Question about 'logto' and 'log_tcpdump'

Lin Zhong Lin.Zhong at ...11426...
Sat May 8 15:50:03 EDT 2004

I see in the snort manual that there is a 'logto' option for the rules,    logto: filename

Does it log all the traffic triger the specific alert to this file in a binary mode? Can I still use threshold to control that it only log part of the traffic?

And I have tried to defined a new version of alert as follow

ruletype myalert{
	 type alert
	 output alert_CSV: new.alerts default
	 output log_tcpdump: log.packet

I have changed the rule correspondingly. 

But when I run snort, it only give me the new.alerts log and there is no log.packet file. I tried log_unified too, but it doesn't work either.

Can anybody telll me why? And what I should do to make it work?

Many thanks,


More information about the Snort-users mailing list