Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: log files

From: "Dusty Hall" <halljer () auburn edu>
Date: Thu, 18 Mar 2004 08:14:34 -0600
Natalie,

  Although I'm not sure I understand you question fully... You might want to look at modifying your snort.conf to 
something like this...  Then you have two different logs logging with one instance of snort running.  Let me know your 
thoughts.

  Here's how I log different alerts to different log files...

*-  snort.conf *--
ruletype p2p
{ 
  type alert
  output alert_fast: p2p_alert
  output log_unified: filename unified.p2p, limit 512
}   

ruletype chat
{ 
  type alert
  output alert_fast: chat_alert
  output log_unified: filename unified.chat, limit 512
}

  You'll also need to modify the rules, ie:

chat.rules
*----------
change:
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"CHAT ICQ access"; flow:to_server,established; content: 
"User-Agent\:ICQ"; classtype:misc-activity; sid:541;  rev:6;)

to this:
chat tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"CHAT ICQ access"; flow:to_server,established; content: 
"User-Agent\:ICQ"; classtype:misc-activity; sid:541;  rev:6;)

  I doubt anyone has read this far down but.... does this significantly effect the performance of snort?


-Dusty




"Luong, Natalie N" <natalie.n.luong () lmco com> 3/17/2004 7:20:45 PM >>>

Please bear with me, I'm fairly new to snort.


I have a very large tcpdump file (call it "large.dat").

Is it possible to log packets in that file of ruleA to one log file and log packets of ruleB to
a second log file using only one "read" of that original tcpdump file?

To elaborate....

I know I can execute two different commands:
1) snort -l ./logdir -L logA.log -b -c ruleAfile.conf -r large.dat
2) snort -l ./logdir -L logB.log -b -c ruleBfile.conf  -r large.dat

Now, can I create both logA.log and logB.log using only one "snort" command?

Thanks







-------------------------------------------------------
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net 
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users 
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users



-------------------------------------------------------
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id70&alloc_id638&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: