[Snort-users] Where's Waldo?

AllowOverride allowoverride at ...11827...
Wed Oct 10 17:49:56 EDT 2012


agreed, merged.log is ambiguously name as well... i thought it meant a
merge of alert/snort, or snort/pcap, or pcap/alert, or binary/snort, so
on so forth, i couldn't tell, as i couldn't view the data with enclosed
utils. that was then though..

On Wed, 2012-10-10 at 15:16 -0400, waldo kitty wrote:
> On 10/9/2012 11:29, AllowOverride wrote:
> > I was doing some research, like i usually do, and i found this option, but,
> > there is not much said about in the Readme's enclosed with Barnyard2 tar.
> >
> > -f <base> Use <base> as the base filename pattern
> >
> > what do they mean by base filename pattern?
> 
> snort.log would be one example since snort then outputs
> 
>    snort.log.123456789
>    snort.log.234567890
>    snort.log.345678901
> 
> styled filenames...
> 
> another pattern might be something like YYYYMMDD-foobar.log where the YYYY is 
> the four digit year, MM is the two digit month, and DD is the two digit day of 
> the month... of course, this also depends on the tool needing these patterns and 
> what it can support...
> 
> one also must necessarily be careful with these log file names... in my setup, 
> files such at those are pcap files... if i also want unified2 output, i have to 
> specify another log file name to ensure that i do not overwrite or place data in 
> the wrong file...
> 
> NOTE: IM(H)O, snort/VRT should have named the above default snort.log output as 
> snort.pcap to _truly_ denote what these files are... this on a snort 
> installation with *NO* "output" plugins defined... it took a while before 
> someone, joel i think, was finally able to tell me what those files actually 
> were... before then, i had been processing them with a few homegrown scripts to 
> pull data from them that i had figured out and wanted to report on...
> 
> NOTE2: i see in my old snort.conf that the unified2 output is configured with a 
> file name of merged.log... not having looked at barnyard2 or any other "IDS/IPS 
> controller" stuffs, i can only hope that they allow for these file names to be 
> custom set for each install... additionally, i do not know (yet) if this file 
> results in files similar to the above snort.log.xxxxxxxxx format or if it is 
> simply one big log file that remains until it is rotated out...
> 
> ------------------------------------------------------------------------------
> Don't let slow site performance ruin your business. Deploy New Relic APM
> Deploy New Relic app performance management and know exactly
> what is happening inside your Ruby, Python, PHP, Java, and .NET app
> Try New Relic at no cost today and get our sweet Data Nerd shirt too!
> http://p.sf.net/sfu/newrelic-dev2dev
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 
> Please visit http://blog.snort.org to stay current on all the latest Snort news!





More information about the Snort-users mailing list