Snort mailing list archives
Documentation: log_tcpdump and maybe others.
From: Jesus Couto <jesus.couto () satec es>
Date: Thu, 25 Oct 2001 13:13:06 +0200
Hi. Writing just to suggest that the user manual should be updated to explain that, if you use a full path in the name of the file of the log_tcpdump plugin, it uses that exact file, without the "%m%d@%H%M-" prefix, and that means your log file can be deleted, as snort unlinksthe file if he hasnt written anything to the file, so in the (unlikely?) case
that you restart snort too soon and nothing gets logged, your previous log is deleted.The circumstances I discovered this are a bit embarassing... I'm trying to log anything to MySQL, so I configured that pluging to log the alerts, but then it was also logging the packets using the "directory" text log style, so I changed it to use log_tcpdump and redirected it to /dev/null; running snort as root and restarting to test something left me without that device :-(
BTW, now I have it working, by running snort chrooted and under another user and writting to a null device in the jail that it cant delete cause the owner is root, but of course now I cant send a HUP to it and get it restarted. Anyone knows of a cleaner way to achieve this?
Thanks in advance Jesús Couto F. _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Documentation: log_tcpdump and maybe others. Jesus Couto (Oct 25)