I'm confused about snort outputs. Where are the output file(s) supposed to be specified?
OR, more specifically, I've got two files being written (alert and snort.log.xxx), but only have one output file specified (snort.log.xx) and am expecting only one output file (snort.log.xx).
Where's the alert file coming from?
As an aside, barnyard2 is not running at this time.
thanks in advance!
Details:
files being written are:
$ ls -la /var/snort/eth4
drwxrwxr-x+ 3 snort snort 4096 Oct 11 10:08 .
drwxr-xr-x. 3 snort snort 4096 Oct 11 10:03 ..
-rw-rw-r--+ 1 snort snort 12535192 Oct 11 10:22 alert <-
-rw-rw-r--+ 1 snort snort 1345798 Oct 9 03:28 alert-20111009.gz
-rw-rw-r--+ 1 snort snort 1488789 Oct 10 03:36 alert-20111010.gz
-rw-rw-r--+ 1 snort snort 1195682 Oct 11 03:40 alert-20111011.gz
drwxrwxr-x+ 2 snort snort 4096 Oct 11 03:40 archive
-rw-rw-r--+ 1 snort snort 357148 Oct 11 10:22 snort.log.1318356523 <-
But my /etc/snort/snort.conf only has one 'output' config directive:
output unified2: filename snort.log, limit 128
And since this is redhat, have to use both /etc/sysconfig/snort and /etc/init.d/snortd to figure out where the target '-l' is, which I figure is:
/var/snort/eth4
here's the ps ax | grep snort
6851 ? Ssl 0:51 /usr/sbin/snort -A fast -b -d -D -I -i eth4 -u snort -g snort -c /etc/snort/snort.conf -l /var/snort/eth4
Examining the two files, alerts looks like an ascii list of analomies, and snort.log.xxx looks like a binary file, presumably of datastream capture?
so where's the alert file coming from?