Snort supports logging additional information to a file about the events it is generating relative to specific blocks of data that are matching the rule. The blocks of data logged include information about the event, the GID, SID, and other data related to the event itself, plus packet data including sizes, timestamps, raw, normalized, and decompressed buffers extracted from the packet that may have been used in evaluating the rule. The amount of packet data written is limited with each entry. This is useful in debugging rules.
The config option event_trace to snort.conf provides this control.
The general configuration for event tracing is as follows:
verbatim498#
The are two configuration options for event_trace.
This sets the file name into which the trace data is written, within Snort's log directory (see -l command line option).
The default is event_trace.txt.
This specifies the maximum number of bytes from each buffer of data to write into the file.
The default is 64 bytes and valid values range from 1 to 65535 bytes.
The default configuration:
verbatim499#
Use the default file, but change the amount of data logged:
verbatim500#
Change the file name to which event traces are logged:
verbatim501#