Snort mailing list archives
Re: Snort ->Barnyard2
From: beenph <beenph () gmail com>
Date: Mon, 29 Aug 2011 23:57:13 -0400
On Mon, Aug 29, 2011 at 11:08 PM, James Kaufman <jmk () kaufman eden-prairie mn us> wrote:
Snort 2.9.1 is running on my CentOS 5.6 server. I compiled snort from tarball: # snort -V ,,_ -*> Snort! <*- o" )~ Version 2.9.1 IPv6 GRE (Build 71) '''' By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-team Copyright (C) 1998-2011 Sourcefire, Inc., et al. Using libpcap version 1.1.1 Using PCRE version: 6.6 06-Feb-2006 Using ZLIB version: 1.2.3 # ps -aef|grep snort snort 31528 1 0 Aug27 ? 00:03:17 /usr/local/bin/snort -b -d -D -i eth0 -u snort -g snort -c /etc/snort/snort.conf -l /var/log/snort I have this in snort.conf: # unified2 # Recommended for most installs output unified2: filename merged.log, limit 128, nostamp There are no other uncommented output lines. /var/log/snort has: # dir -l total 1168 -rw-r--r-- 1 root root 676540 Aug 28 09:47 alert -rw------- 1 snort snort 149779 Aug 27 13:52 snort.log.1314471019 -rw------- 1 snort snort 339181 Aug 28 09:47 snort.log.1314471620
Have you tried to look on your system for merged.log* file? Also if you intend to use barnyard2 make sure to remove the nostamp option from your snort.conf output unified2 line, barnyard running in continuous wont process it , and after 128mb snort will overwrite your file (unless this benavior has changed). Is your snort process freshly restarted or did you kill -HUP it with some config changes? Are you sure the your snort process is using the good config file? I hope this can help you. -elz ------------------------------------------------------------------------------ Special Offer -- Download ArcSight Logger for FREE! Finally, a world-class log management solution at an even better price-free! And you'll get a free "Love Thy Logs" t-shirt when you download Logger. Secure your free ArcSight Logger TODAY! http://p.sf.net/sfu/arcsisghtdev2dev _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Snort ->Barnyard2 James Kaufman (Aug 29)
- Re: Snort ->Barnyard2 beenph (Aug 29)