First of all, the option -r
is related to analyze .pcap files. That's why you came across this error output:
ERROR: Can't initialize DAQ pcap (-1) - unknown file format
To be able to capture the Snort logs, you need to specify whether it will go to syslog or it will be stored in some desired file. In both options will need a monitor to read the latest logs generated (e.g.: the tail(1)
can be your friend at that time.)
According to the snort(8)
manpage:
-l
: set the output log. By default is set to /var/snort/log
;
-i
: set the specific interface to sniff packets;
-s
: send log to syslog;
-c
: set the config file that contain the rules;
Example of use:
Capture logs from eth0
:
./snort -i eth0 -c /etc/snort/snort.conf -l ./snort-eth0.log
Use tail -f ./snort-eth0.log
on another console to look at the logs in real time. If you want to send to the syslog, just add the -s
at the end of the snort command line.
Capture logs from snort running in Daemon mode:
First, you need to know where snort is spitting the logs. To do this, check what was specified in the flag -l
. If it is not specified, remember that the default path is /var/snort/log
.
ps -p $(pidof /opt/snort3/bin/snort) -f
...
tail -f /var/snort/log