You want to split Snort’s log output into separate files, based on the IP addresses and protocols detected.

# snort -l /var/log/snort -h network -r snort.log.timestamp

Snort can split its formatted output into separate files, with names based on the remote IP address and protocols used: these files contain the same information printed by snort -v. Select this mode of operation by using the -l option without -b, plus the -h option to specify the “home network” for identification of the remote packets:

# cd /var/log/snort
# snort -l /var/log/snort -h 10.22.33.0/24 -r snort.log.1047160213
...
# find [0-9A-Z]* -type f -print | sort
10.30.188.28/TCP:1027-22
192.168.33.1/IP_FRAG
192.168.33.1/UDP:2049-800
192.168.33.2/TCP:6000-1050
192.168.33.2/TCP:6000-1051
192.168.33.2/TCP:6000-1084
ARP

The digits following the filenames for TCP and UDP traffic refer to the remote and local port numbers, respectively. Information about fragmented IP packets that could not otherwise be classified is stored in files named IP_FRAG. Details for ARP packets are stored in a file named ARP in the top-level logging directory.

Don’t use split formatted output for logging while sniffing packets from the network —it’s inefficient and discards information. For logging, we recommend binary libpcap-format files (produced by the -b option) for speed and flexibility. [Recipe 9.16] You can always split and format the output later, using the technique ...