question on specifying snort output files?

Posted on 2011-10-11
Last Modified: 2013-11-29
I'm confused about snort outputs.  Where are the output file(s) supposed to be specified?

OR, more specifically, I've got two files being written (alert and, but only have one output file specified (snort.log.xx) and am expecting only one output file (snort.log.xx).

Where's the alert file coming from?

As an aside, barnyard2 is not running at this time.

thanks in advance!



files being written are:

$ ls -la /var/snort/eth4

    drwxrwxr-x+ 3 snort snort     4096 Oct 11 10:08 .
    drwxr-xr-x. 3 snort snort     4096 Oct 11 10:03 ..
    -rw-rw-r--+ 1 snort snort 12535192 Oct 11 10:22 alert                 <-
    -rw-rw-r--+ 1 snort snort  1345798 Oct  9 03:28 alert-20111009.gz
    -rw-rw-r--+ 1 snort snort  1488789 Oct 10 03:36 alert-20111010.gz
    -rw-rw-r--+ 1 snort snort  1195682 Oct 11 03:40 alert-20111011.gz
    drwxrwxr-x+ 2 snort snort     4096 Oct 11 03:40 archive
    -rw-rw-r--+ 1 snort snort   357148 Oct 11 10:22 snort.log.1318356523  <-

But my /etc/snort/snort.conf only has one 'output' config directive:


       output unified2: filename snort.log, limit 128


And since this is redhat, have to use both /etc/sysconfig/snort and /etc/init.d/snortd to figure out where the target '-l' is,
which I figure is:


here's the ps ax | grep snort

    6851 ?        Ssl    0:51 /usr/sbin/snort -A fast -b -d -D -I -i eth4 -u snort -g snort -c /etc/snort/snort.conf -l /var/snort/eth4

Examining the two files, alerts looks like an ascii list of analomies, and looks like a binary file, presumably of datastream capture?

so where's the alert file coming from?

Question by:mlnpscda

    Author Comment

         So, from reading between the lines in snort docs, and some extensive googling, I'm guessing that the name of the alerts file is always and forever will be 'alert' or 'alert_<something>'. That's just what it is. So there is no config spec for the name of the alerts file.

    Is this correct?
    LVL 38

    Accepted Solution

    Most people normally store snort log in snort/log but it could be any directory you specify.
    This is a typical config for unified2 output in snort, using merged instead of splitting out alert and log...

    # unified2                                                                                                  
    # Recommended for most installs                                                                            
    output unified2: snort-unified merged.log, limit 128, nostamp, mpls_event_types, vlan_event_types          
    # Additional configuration for specific types of installs                                                  
    # output alert_unified2: filename snort.alert, limit 128, nostamp                                          
    # output log_unified2: filename snort.log, limit 128, nostamp                                              
    To use barnyard2 effectively, remove the "nostamp" option so that the files get the unix timestamp.
    The "dash ELL" specifies the directory to write the log files to, so "-l /var/snort/log" is typical for my installs. You can change the file names to whatever you want, they do not have to have the names from the examples at all, and they don't have to end in alert/log either.

    Featured Post

    What Security Threats Are You Missing?

    Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

    Join & Write a Comment

    This is a short article about OS X KeRanger, and what people can do to get rid of it.
    Healthcare organizations in the United States must adhere to the guidance of both the HIPAA (Health Insurance Portability and Accountability Act) and HITECH (Health Information Technology for Economic and Clinical Health Act) for securing and protec…
    Migrating to Microsoft Office 365 is becoming increasingly popular for organizations both large and small. If you have made the leap to Microsoft’s cloud platform, you know that you will need to create a corporate email signature for your Office 365…
    Sending a Secure fax is easy with eFax Corporate ( First, Just open a new email message.  In the To field, type your recipient's fax number You can even send a secure international fax — just include t…

    728 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    21 Experts available now in Live!

    Get 1:1 Help Now