[Snort-users] general questions
wkitty42 at ...14940...
Fri Mar 29 15:36:50 EDT 2013
On 3/29/2013 13:22, Jeremy Hoel wrote:
> You need to look at the snort.conf in the output section and see how
> snort outputs it's data.. [...]
funny thing, this... as i've written numerous times before, our particular snort
installations do not have any output plugins configured and there is nothing in
the conf or elsewhere that states that snort outputs the text alert and binary
pcap files /by default/... not unless several of us have missed this in the docs
somewhere... it took me sending a snort.log.xxxxxxxxxx file to joel for him to
try to read before he was able to tell us that this was a plain old pcap file...
IMHO, snort should *not* default to naming these as snort.log.xxxxxxxxxx but
instead snort.pcap.xxxxxxxxxx so as to properly indicate their actual
contents... granted, if there is an "override" in the output section of the conf
file, then that should be used but even the examples for defining these should
not use "log" since it is a pcap instead...
> you need to figure out how you want to use the data in order to
> determine how to output it.
More information about the Snort-users