Managing Snort logging
The default Snort configuration causes it to log any triggered alerts in unified2 format to /var/log/snort/snort.log. This causes the alert instances and the relevant packet data to be logged in a binary format, which requires special tools to understand. One simple tool for reading unified2 format is u2spewfoo. Alternatively, u2boat can be used to convert the logs into pcap files, which may be read, by tcpdump or wireshark.
A useful option from the console without any non-Ubuntu provided tools would be to log alerts in plaintext to disk. These alert logs would allow you to easily read the messages from within /var/log/snort as plain text. You may also choose to have snort log packet captures directly in pcap format.
How to do it...
- Open
/etc/snort/snort.confin your favorite text editor. - Search for the lines which start with output in order to determine the current logging settings and know where to put additional output options. The stock Ubuntu snort installation sets...
