Re: Logs and alerts directed into a single file?

[Matt Kettler <mkettler () evi-inc com>]

At 01:30 PM 9/7/2004, Sconeboy The Magnificent wrote:
> I assume i am doing something wrong, but i cannot see a way to get
> snort to log alerts and 'log' to one and the same file,
>
> for example, i have a rule to diagnose http data across my network
> using the session:printable; parameter [F1]. if i use an 'alert' rule
> in my snort rules file it will log to alert for that rule to one file,
> and then the actual payload data to another file [F2]
>
> is it possible to log the alert and then the data immedietly after in one 
> file?


Not that I'm awera of.

Also, for what it's worth, the text data logging mode is not recommended 
for production use because it's outrageously slow and causes packet loss.

If you're going to do basic text mode alert logging, I'd seriously suggest 
switching to tcpdump binary format for packet logs. If you later need the 
packets decoded into text, you can run the files through tcpdump -rx, or a 
decoder of your choice.

I'll admit this takes you further away from your desire for a collated 
report from snort, but report formatting is best handled by post-processing 
due to packet loss concerns. You might want to look at one or more data 
analysis tools to help generate the report formats you want.
http://www.snort.org/dl/contrib/data_analysis/








-------------------------------------------------------
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_id=5047&alloc_id=10808&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users