Recipe 9.24 Logging with Snort

9.24.1 Problem

You want to manage Snort's output and log files in an efficient, effective manner.

9.24.2 Solution

To log network trace data for later analysis:

# snort -b [-l logging-directory] [-L basename]

To examine the network trace data:

$ snort -r logfile

or use any other program that reads libpcap-format files, like Ethereal. [Recipe 9.17]

To manage the logs, don't use logrotate. [Recipe 9.30] Instead, periodically tell Snort to close all of its files and restart, by sending it a SIGHUP signal:

# kill -HUP `pidof snort`

Then, use find to remove all files that are older than (say) a week:

# find /var/log/snort -type f -mtime +7 -print0 | xargs -0 -r rm

Finally, use find again to remove empty subdirectories:

# find /var/log/snort -mindepth 1 -depth -type d -print0 | \
  xargs -0 -r rmdir -v --ignore-fail-on-non-empty

To run these commands (for example) every night at 3:30 a.m., create a cleanup script (say, /usr/local/sbin/clean-up-snort) and add a crontab entry for root:

30 3 * * * /usr/local/sbin/clean-up-snort

9.24.3 Discussion

To log network trace data for later analysis, use the -b option. This creates a libpcap-format binary file in the logging directory (by default, /var/log/snort) with a name like snort.log.1047160213: the digits record the start time of the trace, expressed as seconds since the epoch.^[11] To convert this value to a more readable format, use either Perl or the date command:

^[11] The Unix "epoch" occurred on January 1, 1970, at midnight UTC.

$ perl -e 'print scalar localtime 1047160213, "\n";'
Sat Mar  8 16:50:13 2003

$ date -d "1970-01-01 utc + 1047160213 sec"
Sat Mar  8 16:50:13 EST 2003

To learn the ending time of the trace, see the modification time of the file:

# ls --full-time -o snort.log.1047160213
-rw-------    1 root       97818 Sat Mar 08 19:05:47 2003 snort.log.1047160213

or use snort -r to examine the network trace data.

You can specify a different logging directory with the -l option, or an alternate basename (instead of snort.log) with the -L option: the start timestamp is still added to the filename.

Since Snort filenames contain timestamps, and the formatted logging files might be split into separate directories, logrotate [Recipe 9.30] is not an ideal mechanism for managing your log files. Use the method we suggest, or something similar.

9.24.4 See Also

snort(8), logrotate(8). The Snort home page is http://www.snort.org.