Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: output log_tcpdump bulk.log

From: John Sage <jsage () finchhaven com>
Date: Wed, 6 Mar 2002 06:04:55 -0800
Bob:

If you've already got cron involved, write a shell or perl script that
runs from cron and renames the file..

Here's something I use (perl wizards: don't laugh :-)

#!/usr/bin/perl
#
# run from /etc/crontab by:
#   00 4 * * * root /bin/sh /var/log/snort/rotate_counts.plx
#   minute 00, hour 04, * * * rotate counts, datestamp, touch new
#
$t = `date +%m%d%y%H%M`;
system("mv -f /var/log/snort/count_ports /var/log/snort/count_ports.$t");
system("mv -f /var/log/snort/count_probes /var/log/snort/count_probes.$t");
system("mv -f /var/log/snort/count_probes_sort /var/log/snort/count_probes_sort.$t");
#
system("touch /var/log/snort/count_ports");
system("touch /var/log/snort/count_probes");
system("touch /var/log/snort/count_probes_sort");
#
# EOF rotate_counts.plx 09/29/01


HTH..

- John
-- 
Most people don't type their own logfiles;  but, what do I care?



On Tue, Mar 05, 2002 at 11:15:11PM -0600, Bob Hillegas wrote:

BACKGROUND... In my snort.conf I have added the following ruletype:

ruletype bulk
{
  type log
  output log_tcpdump bulk.log
}

This rule type is fed by a rule in local.rules:

log ip any any <> any any (msg:"Capture all ip packets")

PROBLEM... File is overwritten!!

I'm using a dial-up, 10 minute inactivity time-out, cron to fetch mail every 
30 minutes. This means it dials twice an hour. Since I get an new ip every 
time I dial in, I must kill -INT snort.pid each time the interface goes 
down and restart snort with 

var HOME_NET $ppp0_ADDRESS

every time the interface is brought back up. That works fine.
But, the above output statement creates filenames like 0305 () 22-bulk log. 
When two are created the same hour, the second one overwrites the first. 

QUESTION... Is there a way of extending the naming to include minutes, or 
to enable appending to file?

Thanks
-- 
-------------------------------------------------
Bob Hillegas           
<bobhillegas () pdq net> 


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: