Snort mailing list archives
Re: Unified2 questions
From: "Lay, James" <james.lay () wincofoods com>
Date: Wed, 27 Apr 2011 09:29:17 -0600
Ok....I got this to fly.....looks like I'll make a new script to gank what I need on the fly ;) Thanks Joel. James From: Joel Esler [mailto:jesler () sourcefire com] Sent: Wednesday, April 27, 2011 8:27 AM To: Lay, James Cc: snort-users () lists sourceforge net Subject: Re: [Snort-users] Unified2 questions Can't you use "pcap" output in barnyard? J On Wed, Apr 27, 2011 at 10:22 AM, Lay, James <james.lay () wincofoods com> wrote: So yea.....I'm sure you all saw this coming ;) Now that I have unified2 output, the long and short is: what can I do with it? I don't want to run barnyard and pipe to a db...I just want to see the packets command line. My research/results so far: Cerberus: Old, slow, shareware U2boat: errors with no packets output: [08:10:56:~/log$] u2boat snort-unified.1303847056 ~/test.pcap Defaulting to pcap output. Error: incomplete record. 662559 of 1073741824 bytes read. [08:11:01:~/log$] ls -l ~/test.pcap -rw------- 1 0 2011-04-27 08:11 //test.pcap U2spewfoo: errors with no results: [08:15:06 :~/log$] u2spewfoo snort-unified.1303847056 get_record: (2) Failed to read all of record data. Read 662559 of 1073741824 bytes I looked at mudpit as well, but again, it seems to be just a data spooler/redirector. My process for handling snort alerts is: See the alert in the logs Do a whois on the remote IP tshark -X the current snort.pcap file matching the remote IP to see the raw packet caught How does unified2 output fit into this type of response? Thanks for any help all. James ------------------------------------------------------------------------ ------ WhatsUp Gold - Download Free Network Management Software The most intuitive, comprehensive, and cost-effective network management toolset available today. Delivers lowest initial acquisition cost and overall TCO of any competing solution. http://p.sf.net/sfu/whatsupgold-sd _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------------ WhatsUp Gold - Download Free Network Management Software The most intuitive, comprehensive, and cost-effective network management toolset available today. Delivers lowest initial acquisition cost and overall TCO of any competing solution. http://p.sf.net/sfu/whatsupgold-sd
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Unified2 questions Lay, James (Apr 27)
- Re: Unified2 questions Joel Esler (Apr 27)
- Re: Unified2 questions Lay, James (Apr 27)
- Re: Unified2 questions waldo kitty (Apr 27)
- Re: Unified2 questions Joel Esler (Apr 27)