Recipe 9.25 Partitioning Snort Logs Into Separate Files
9.25.1 ProblemYou want to split Snort's log output into separate files, based on the IP addresses and protocols detected. 9.25.2 Solution# snort -l /var/log/snort -h network -r snort.log.timestamp 9.25.3 DiscussionSnort can split its formatted output into separate files, with names based on the remote IP address and protocols used: these files contain the same information printed by snort -v. Select this mode of operation by using the -l option without -b, plus the -h option to specify the "home network" for identification of the remote packets: # cd /var/log/snort # snort -l /var/log/snort -h 10.22.33.0/24 -r snort.log.1047160213 ... # find [0-9A-Z]* -type f -print | sort 10.30.188.28/TCP:1027-22 192.168.33.1/IP_FRAG 192.168.33.1/UDP:2049-800 192.168.33.2/TCP:6000-1050 192.168.33.2/TCP:6000-1051 192.168.33.2/TCP:6000-1084 ARP The digits following the filenames for TCP and UDP traffic refer to the remote and local port numbers, respectively. Information about fragmented IP packets that could not otherwise be classified is stored in files named IP_FRAG. Details for ARP packets are stored in a file named ARP in the top-level logging directory. Don't use split formatted output for logging while sniffing packets from the network it's inefficient and discards information. For logging, we recommend binary libpcap-format files (produced by the -b option) for speed and flexibility. [Recipe 9.16] You can always split and format the output later, using the technique in this recipe. 9.25.4 See Alsosnort(8). The Snort home page is http://www.snort.org. |
EAN: 2147483647
Pages: 247