لطفا منتظر باشید ...
Recipe 9.25 Partitioning Snort Logs Into Separate Files
9.25.1 Problem
You want to split
Snort's log output into separate files, based on the
IP addresses and protocols detected.
9.25.2 Solution
# snort -l /var/log/snort -h network -r snort.log.timestamp
9.25.3 Discussion
Snort can split its formatted output into separate files, with names
based on the remote IP address and protocols used: these files
contain the same information printed by snort -v.
Select this mode of operation by using the -l
option without -b, plus the -h
option to specify the "home
network" for identification of the remote packets:
# cd /var/log/snort
# snort -l /var/log/snort -h 10.22.33.0/24 -r snort.log.1047160213
...
# find [0-9A-Z]* -type f -print | sort
10.30.188.28/TCP:1027-22
192.168.33.1/IP_FRAG
192.168.33.1/UDP:2049-800
192.168.33.2/TCP:6000-1050
192.168.33.2/TCP:6000-1051
192.168.33.2/TCP:6000-1084
ARP
The digits following the filenames for TCP and UDP traffic refer to
the remote and local port numbers, respectively. Information about
fragmented IP packets that could not otherwise be classified is
stored in files named IP_FRAG. Details for ARP
packets are stored in a file named ARP in the
top-level logging directory.Don't use split formatted output for logging while
sniffing packets from the network it's
inefficient and discards information. For logging, we recommend
binary libpcap-format files (produced by the
-b option) for speed and flexibility. [Recipe 9.16] You can always split and format the output
later, using the technique in this recipe.
9.25.4 See Also
snort(8). The Snort home page is http://www.snort.org.
