[Snort-users] Logs and alerts directed into a single file?

Matt Kettler mkettler at ...4108...
Tue Sep 7 12:36:04 EDT 2004


At 01:30 PM 9/7/2004, Sconeboy The Magnificent wrote:
>I assume i am doing something wrong, but i cannot see a way to get
>snort to log alerts and 'log' to one and the same file,
>
>for example, i have a rule to diagnose http data across my network
>using the session:printable; parameter [F1]. if i use an 'alert' rule
>in my snort rules file it will log to alert for that rule to one file,
>and then the actual payload data to another file [F2]
>
>is it possible to log the alert and then the data immedietly after in one 
>file?


Not that I'm awera of.

Also, for what it's worth, the text data logging mode is not recommended 
for production use because it's outrageously slow and causes packet loss.

If you're going to do basic text mode alert logging, I'd seriously suggest 
switching to tcpdump binary format for packet logs. If you later need the 
packets decoded into text, you can run the files through tcpdump -rx, or a 
decoder of your choice.

I'll admit this takes you further away from your desire for a collated 
report from snort, but report formatting is best handled by post-processing 
due to packet loss concerns. You might want to look at one or more data 
analysis tools to help generate the report formats you want.
http://www.snort.org/dl/contrib/data_analysis/










More information about the Snort-users mailing list