[Snort-users] general questions

waldo kitty wkitty42 at ...14940...
Fri Mar 29 15:36:50 EDT 2013

On 3/29/2013 13:22, Jeremy Hoel wrote:
> You need to look at the snort.conf in the output section and see how
> snort outputs it's data.. [...]

funny thing, this... as i've written numerous times before, our particular snort 
installations do not have any output plugins configured and there is nothing in 
the conf or elsewhere that states that snort outputs the text alert and binary 
pcap files /by default/... not unless several of us have missed this in the docs 
somewhere... it took me sending a snort.log.xxxxxxxxxx file to joel for him to 
try to read before he was able to tell us that this was a plain old pcap file...

IMHO, snort should *not* default to naming these as snort.log.xxxxxxxxxx but 
instead snort.pcap.xxxxxxxxxx so as to properly indicate their actual 
contents... granted, if there is an "override" in the output section of the conf 
file, then that should be used but even the examples for defining these should 
not use "log" since it is a pcap instead...

> you need to figure out how you want to use the data in order to
> determine how to output it.

agreed 100%

More information about the Snort-users mailing list