question on specifying snort output files?

Posted on 2011-10-11
Medium Priority
Last Modified: 2013-11-29
I'm confused about snort outputs.  Where are the output file(s) supposed to be specified?

OR, more specifically, I've got two files being written (alert and snort.log.xxx), but only have one output file specified (snort.log.xx) and am expecting only one output file (snort.log.xx).

Where's the alert file coming from?

As an aside, barnyard2 is not running at this time.

thanks in advance!



files being written are:

$ ls -la /var/snort/eth4

    drwxrwxr-x+ 3 snort snort     4096 Oct 11 10:08 .
    drwxr-xr-x. 3 snort snort     4096 Oct 11 10:03 ..
    -rw-rw-r--+ 1 snort snort 12535192 Oct 11 10:22 alert                 <-
    -rw-rw-r--+ 1 snort snort  1345798 Oct  9 03:28 alert-20111009.gz
    -rw-rw-r--+ 1 snort snort  1488789 Oct 10 03:36 alert-20111010.gz
    -rw-rw-r--+ 1 snort snort  1195682 Oct 11 03:40 alert-20111011.gz
    drwxrwxr-x+ 2 snort snort     4096 Oct 11 03:40 archive
    -rw-rw-r--+ 1 snort snort   357148 Oct 11 10:22 snort.log.1318356523  <-

But my /etc/snort/snort.conf only has one 'output' config directive:


       output unified2: filename snort.log, limit 128


And since this is redhat, have to use both /etc/sysconfig/snort and /etc/init.d/snortd to figure out where the target '-l' is,
which I figure is:


here's the ps ax | grep snort

    6851 ?        Ssl    0:51 /usr/sbin/snort -A fast -b -d -D -I -i eth4 -u snort -g snort -c /etc/snort/snort.conf -l /var/snort/eth4

Examining the two files, alerts looks like an ascii list of analomies, and snort.log.xxx looks like a binary file, presumably of datastream capture?

so where's the alert file coming from?

Question by:mlnpscda

Author Comment

ID: 36957296
     So, from reading between the lines in snort docs, and some extensive googling, I'm guessing that the name of the alerts file is always and forever will be 'alert' or 'alert_<something>'. That's just what it is. So there is no config spec for the name of the alerts file.

Is this correct?
LVL 38

Accepted Solution

Rich Rumble earned 2000 total points
ID: 37062807
Most people normally store snort log in snort/log but it could be any directory you specify.
This is a typical config for unified2 output in snort, using merged instead of splitting out alert and log...

# unified2                                                                                                  
# Recommended for most installs                                                                            
output unified2: snort-unified merged.log, limit 128, nostamp, mpls_event_types, vlan_event_types          
# Additional configuration for specific types of installs                                                  
# output alert_unified2: filename snort.alert, limit 128, nostamp                                          
# output log_unified2: filename snort.log, limit 128, nostamp                                              
To use barnyard2 effectively, remove the "nostamp" option so that the files get the unix timestamp.
The "dash ELL" specifies the directory to write the log files to, so "-l /var/snort/log" is typical for my installs. You can change the file names to whatever you want, they do not have to have the names from the examples at all, and they don't have to end in alert/log either.

Featured Post

 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

What monsters are hiding in your child's room? In this article I will share with you a tech horror story that could happen to anyone, along with some tips on how you can prevent it from happening to you.
Ransomware - Defeated! Client opened the wrong email and was attacked by Ransomware. I was able to use file recovery utilities to find shadow copies of the encrypted files and make a complete recovery.
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question