OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: [snort] Closing -b log file
From: Martin Roesch (roeschhiverworld.com)
Date: Tue Mar 07 2000 - 11:08:08 CST

Ah, I see. If you HUP Snort it'll restart, closing the current log file
and starting a new one. How's that sound? Snort even keeps a PID file
in /var/run these days, so it's easy to track down....

"Andrew R. Baker" wrote:
>
> This will teach me to be more explicit, what I really want is a way to
> tell snort to close the current log and open a new one. Then I can have
> this done once a day when I rotate the alert logs, so I have a matched
> set.
>
> On Mon, 6 Mar 2000, Martin Roesch wrote:
> > Which version are you using? I believe that we're flushing it in 1.5.2+
> > as well as the 1.6-beta series. Check out the LogBin() function in
> > log.c for confirmation. You should see an fflush() call in there....
> >
> > "Andrew R. Baker" wrote:
> > >
> > > Is there a way to have snort close the tcpdump style log file (generated
> > > from the -b option) without just killing and restarting? 

-- 
Martin Roesch                      <roeschhiverworld.com>
Director of Forensic Systems     http://www.hiverworld.com
Hiverworld, Inc.               Enterprise Network Security
Network Forensics, Intrusion Detection and Risk Assessment