[Snort-users] Where's Waldo?

waldo kitty wkitty42 at ...14940...
Wed Oct 10 15:16:36 EDT 2012

On 10/9/2012 11:29, AllowOverride wrote:
> I was doing some research, like i usually do, and i found this option, but,
> there is not much said about in the Readme's enclosed with Barnyard2 tar.
> -f <base> Use <base> as the base filename pattern
> what do they mean by base filename pattern?

snort.log would be one example since snort then outputs


styled filenames...

another pattern might be something like YYYYMMDD-foobar.log where the YYYY is 
the four digit year, MM is the two digit month, and DD is the two digit day of 
the month... of course, this also depends on the tool needing these patterns and 
what it can support...

one also must necessarily be careful with these log file names... in my setup, 
files such at those are pcap files... if i also want unified2 output, i have to 
specify another log file name to ensure that i do not overwrite or place data in 
the wrong file...

NOTE: IM(H)O, snort/VRT should have named the above default snort.log output as 
snort.pcap to _truly_ denote what these files are... this on a snort 
installation with *NO* "output" plugins defined... it took a while before 
someone, joel i think, was finally able to tell me what those files actually 
were... before then, i had been processing them with a few homegrown scripts to 
pull data from them that i had figured out and wanted to report on...

NOTE2: i see in my old snort.conf that the unified2 output is configured with a 
file name of merged.log... not having looked at barnyard2 or any other "IDS/IPS 
controller" stuffs, i can only hope that they allow for these file names to be 
custom set for each install... additionally, i do not know (yet) if this file 
results in files similar to the above snort.log.xxxxxxxxx format or if it is 
simply one big log file that remains until it is rotated out...

More information about the Snort-users mailing list