output log_tcpdump bulk.log

[Bob Hillegas <bobhillegas () pdq net>]

BACKGROUND... In my snort.conf I have added the following ruletype:

ruletype bulk
{
  type log
  output log_tcpdump bulk.log
}

This rule type is fed by a rule in local.rules:

log ip any any <> any any (msg:"Capture all ip packets")

PROBLEM... File is overwritten!!

I'm using a dial-up, 10 minute inactivity time-out, cron to fetch mail every 
30 minutes. This means it dials twice an hour. Since I get an new ip every 
time I dial in, I must kill -INT snort.pid each time the interface goes 
down and restart snort with 

var HOME_NET $ppp0_ADDRESS

every time the interface is brought back up. That works fine.
But, the above output statement creates filenames like 0305 () 22-bulk log. 
When two are created the same hour, the second one overwrites the first. 

QUESTION... Is there a way of extending the naming to include minutes, or 
to enable appending to file?

Thanks
-- 
-------------------------------------------------
Bob Hillegas           
<bobhillegas () pdq net> 



_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users