[Snort-users] Where's Waldo?
allowoverride at ...11827...
Wed Oct 10 17:47:55 EDT 2012
yep pcap would be a better filename, agreed. thanks for your input
On Wed, 2012-10-10 at 15:16 -0400, waldo kitty wrote:
> On 10/9/2012 11:29, AllowOverride wrote:
> > I was doing some research, like i usually do, and i found this option, but,
> > there is not much said about in the Readme's enclosed with Barnyard2 tar.
> > -f <base> Use <base> as the base filename pattern
> > what do they mean by base filename pattern?
> snort.log would be one example since snort then outputs
> styled filenames...
> another pattern might be something like YYYYMMDD-foobar.log where the YYYY is
> the four digit year, MM is the two digit month, and DD is the two digit day of
> the month... of course, this also depends on the tool needing these patterns and
> what it can support...
> one also must necessarily be careful with these log file names... in my setup,
> files such at those are pcap files... if i also want unified2 output, i have to
> specify another log file name to ensure that i do not overwrite or place data in
> the wrong file...
> NOTE: IM(H)O, snort/VRT should have named the above default snort.log output as
> snort.pcap to _truly_ denote what these files are... this on a snort
> installation with *NO* "output" plugins defined... it took a while before
> someone, joel i think, was finally able to tell me what those files actually
> were... before then, i had been processing them with a few homegrown scripts to
> pull data from them that i had figured out and wanted to report on...
> NOTE2: i see in my old snort.conf that the unified2 output is configured with a
> file name of merged.log... not having looked at barnyard2 or any other "IDS/IPS
> controller" stuffs, i can only hope that they allow for these file names to be
> custom set for each install... additionally, i do not know (yet) if this file
> results in files similar to the above snort.log.xxxxxxxxx format or if it is
> simply one big log file that remains until it is rotated out...
> Don't let slow site performance ruin your business. Deploy New Relic APM
> Deploy New Relic app performance management and know exactly
> what is happening inside your Ruby, Python, PHP, Java, and .NET app
> Try New Relic at no cost today and get our sweet Data Nerd shirt too!
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> Snort-users list archive:
> Please visit http://blog.snort.org to stay current on all the latest Snort news!
More information about the Snort-users