Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Please mommy... make the bad man stop!

From: Erek Adams <erek () theadamsfamily net>
Date: Wed, 6 Mar 2002 11:02:51 -0800 (PST)
On Wed, 6 Mar 2002, Erek Adams wrote:


On 6 Mar 2002, Rob Hughes wrote:


Here's the deal. Until some cvs update a few months ago, snort happily
logged /var/log/snort/snort.log. Then it started prepending a time/date
stamp onto the files, neatly removing my ability to do log rotate jobs
since the files now have unpredictable names. This is the only logging
entry:

output log_tcpdump: snort.log

I'm currently running 1.8.4-beta2 on FreeBSD 4.5-STABLE. I've looked
through the code, but can't figure it why its doing this.

HALP! This is driving me nuts.


Whoopsy, I hit send before I was ready!  :)

Lemme dig thru the code and see what comes up.  I'm headed to bed now.  :)


Note to self:  Don't try to write email whilst sleep deprived.

Rob,

[line numbers might be off slightly since this is a CVS version...]

        If you have a look in log.c at about line 2549, you'll see the start
of InitBinLogFile.  Going down into that a bit, you'll see a some lines (2560
and 2581) that look like:

  strftime(timebuf, TIMEBUF_SIZE-1, "%m%d@%H%M", loc_time);

Later in the code you see a line (2588-2589) that looks like:

  snprintf(logdir, sizeof(logdir) -1,  "%s%s/snort-%s.log",
       chrootdir == NULL ? "" : chrootdir, pv.log_dir, time buf);

That's where you'd need to change it.

***WARNING***  Doing this can be bad.  That means you now have a one off
version of snort and you'll need to make the same mods to each new version
that comes out.  I would suggest a simpler approach:  Modify your script.
Have it scan the directory for any *snort*.log files and then stop snort, move
the files somewhere else with another name and then restart snort.  This would
mean that your log dir shouldn't ever have more than one .log file in it.

        Anyways--Hope this helps!

-----
Erek Adams
Nifty-Type-Guy
TheAdamsFamily.Net


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: