Menu
I have been working with snort-IDS. I have got some log files at /var/log/snort. The files are of type snort.log.xxxx. How do i view this file???
645
You can read as a normal capture file: You can use wireshark , tshark -r , tcpdump -r , or even re-inject them in snort with snort -r . "Native" snort format. You can read it with u2spewfoo <file> (included in snort), or convert it to a pcap with u2boat .
After a default installation and without any specific output plugins enabled, Snort logs all alerts to a file named Alert in the default log directory /var/log/snort.
Actually, you can read them in the commandline or terminal like snort -r xx.log.xxx$.For details, referring to the manual of snort.
167
I will reopen this question trying to merge the others answers, since I think that they are not properly explained.
snort.log.xxx file typeSnort could have output you two kind of output file format depending on snort output plugin option for that files: tcpdump pcap and snort's unified2. In order to know what kind are your files, use the unix file command.
It will tell you tcpdump capture file (goto 2) or data (goto 3).
You can read as a normal capture file: You can use wireshark, tshark -r, tcpdump -r, or even re-inject them in snort with snort -r.
"Native" snort format. You can read it with u2spewfoo <file> (included in snort), or convert it to a pcap with u2boat.
If you want to transform it to another alert system (syslog, for example), you can use barnyard2. Barnyard2 is a simple tool, but configuration is a little bit complex, so tell me if you need more information!
Barnyard2 is also capable to transform it "continuously", i.e., the previous tools are one short: they print/convert one file one time, and the exit. Barnyard2 is able to monitor snort log directory and process events at the time they are produced by snort.
The unified2 format is used because snort old unique thread design. The time snort spend waiting syslog, screen, etc. to ACK alert is time that snort is not using to analyze packets. So, the way was to dump then in a efficient binary format, and let another program (maybe with low CPU priority) to process them.
26
Assuming they are logged in binary PCAP format, then Wireshark is your friend.
4
sudo tcpdump -r snort.log.XXXX
Will output it to your screen. Use tcpdump since they are in pcap format.
2
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
