Linux Security Cookbook [Electronic resources] نسخه متنی

اینجــــا یک کتابخانه دیجیتالی است

با بیش از 100000 منبع الکترونیکی رایگان به زبان فارسی ، عربی و انگلیسی

Linux Security Cookbook [Electronic resources] - نسخه متنی

Daniel J. Barrett, Robert G. Byrnes, Richard Silverman

| نمايش فراداده ، افزودن یک نقد و بررسی
افزودن به کتابخانه شخصی
ارسال به دوستان
جستجو در متن کتاب
بیشتر
تنظیمات قلم

فونت

اندازه قلم

+ - پیش فرض

حالت نمایش

روز نیمروز شب
جستجو در لغت نامه
بیشتر
لیست موضوعات
توضیحات
افزودن یادداشت جدید










Recipe 9.25 Partitioning Snort Logs Into Separate Files



9.25.1 Problem



You want to split
Snort's log output into separate files, based on the
IP addresses and protocols detected.


9.25.2 Solution


# snort -l /var/log/snort -h network -r snort.log.timestamp


9.25.3 Discussion


Snort can split its formatted output into separate files, with names
based on the remote IP address and protocols used: these files
contain the same information printed by snort -v.
Select this mode of operation by using the -l
option without -b, plus the -h
option to specify the "home
network" for identification of the remote packets:

# cd /var/log/snort
# snort -l /var/log/snort -h 10.22.33.0/24 -r snort.log.1047160213
...
# find [0-9A-Z]* -type f -print | sort
10.30.188.28/TCP:1027-22
192.168.33.1/IP_FRAG
192.168.33.1/UDP:2049-800
192.168.33.2/TCP:6000-1050
192.168.33.2/TCP:6000-1051
192.168.33.2/TCP:6000-1084
ARP

The digits following the filenames for TCP and UDP traffic refer to
the remote and local port numbers, respectively. Information about
fragmented IP packets that could not otherwise be classified is
stored in files named IP_FRAG. Details for ARP
packets are stored in a file named ARP in the
top-level logging directory.

Don't use split formatted output for logging while
sniffing packets from the network it's
inefficient and discards information. For logging, we recommend
binary libpcap-format files (produced by the
-b option) for speed and flexibility. [Recipe 9.16] You can always split and format the output
later, using the technique in this recipe.


9.25.4 See Also


snort(8). The Snort home page is http://www.snort.org.

/ 247