[Snort-users] Logs and alerts directed into a single file?

Jason security at ...5028...
Tue Sep 7 17:58:07 EDT 2004


I would suggest that you instead use unified logging and have barnyard 
post process the logs into ASCII for you. It will give you a performance 
bump and the logging you are looking for. The tarball contains the docs

http://www.snort.org/dl/barnyard/

failing that

http://www.snort.org/docs/snort_manual/node13.html#SECTION00343000000000000000

you will still have two files but the "log" files should have all of the 
information you need.


Sconeboy The Magnificent wrote:

> Hi there,
> 
> I assume i am doing something wrong, but i cannot see a way to get
> snort to log alerts and 'log' to one and the same file,
> 
> for example, i have a rule to diagnose http data across my network
> using the session:printable; parameter [F1]. if i use an 'alert' rule
> in my snort rules file it will log to alert for that rule to one file,
> and then the actual payload data to another file [F2]
> 
> is it possible to log the alert and then the data immedietly after in one file? 
> 
> [F1]
> 
> alert tcp any 80 <> 192.168.1.0/24 any (msg:"http user";
> flow:from_server,established; logto:"alert";content:"POST ";
> session:printable;)
> 
> [F2]
> 
> $ ls -al ../192.168.1.100/
> drwx------    1 root     root            0 Jan  1 02:31 .
> drwxr-xr-x    1 root     root            0 Jan  1 01:34 ..
> -rw-------    1 root     root          281 Jan  1 02:31 PROTO006:4851-80
> -rw-------    1 root     root          661 Jan  1 02:31 SESSION:4851-80
> -rw-------    1 root     root          661 Jan  1 02:43 SESSION:4872-80
> $
> 
> [PROTO006 is the alert, SESSION: is the data]
> 
> Thank you,
> Rory
> 
> 
> -------------------------------------------------------
> This SF.Net email is sponsored by BEA Weblogic Workshop
> FREE Java Enterprise J2EE developer tools!
> Get your free copy of BEA WebLogic Workshop 8.1 today.
> http://ads.osdn.com/?ad_id=5047&alloc_id=10808&op=click
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 





More information about the Snort-users mailing list