You want to manage Snort’s output and log files in an efficient, effective manner.

To log network trace data for later analysis:

# snort -b [-l logging-directory] [-L basename]

To examine the network trace data:

$ snort -r logfile

or use any other program that reads libpcap-format files, like Ethereal. [Recipe 9.17]

To manage the logs, don’t use logrotate. [Recipe 9.30] Instead, periodically tell Snort to close all of its files and restart, by sending it a SIGHUP signal:

# kill -HUP `pidof snort`

Then, use find to remove all files that are older than (say) a week:

# find /var/log/snort -type f -mtime +7 -print0 | xargs -0 -r rm

Finally, use find again to remove empty subdirectories:

# find /var/log/snort -mindepth 1 -depth -type d -print0 | \
  xargs -0 -r rmdir -v --ignore-fail-on-non-empty

To run these commands (for example) every night at 3:30 a.m., create a cleanup script (say, /usr/local/sbin/clean-up-snort) and add a crontab entry for root:

30 3 * * * /usr/local/sbin/clean-up-snort

To log network trace data for later analysis, use the -b option. This creates a libpcap -format binary file in the logging directory (by default, /var/log/snort) with a name like snort.log.1047160213: the digits record the start time of the trace, expressed as seconds since the epoch.^[11] To convert this value to a more readable format, use either Perl or the date command:

$ perl -e 'print scalar localtime 1047160213, "\n";' Sat Mar 8 16:50:13 2003 $ date -d ...