Snort mailing list archives
FW: snort logging issue
From: Y M <snort () outlook com>
Date: Wed, 13 Feb 2013 22:22:22 +0300
Replying to all. YM ________________________________ From: Y M<mailto:snort () outlook com> Sent: 2/13/2013 10:18 PM To: J MCN<mailto:nmkj05 () gmail com> Subject: RE: [Snort-users] snort logging issue Snort logs are in binary PCAP format. You can read the logs with Snort itself using -r or you can also use wireshark. You can log in ASCII, but its slower than logging in binary. Ultimately, you want to log in unified2 and then use barnyard2 to read or store data to a database. YM ________________________________ From: J MCN<mailto:nmkj05 () gmail com> Sent: 2/13/2013 10:05 PM To: snort-users () lists sourceforge net<mailto:snort-users () lists sourceforge net> Subject: [Snort-users] snort logging issue Hey Folks - I recently fired up snort using arch armv6 and a raspberry pi. I then used yaourt to install snort as pacman didn't seem to find snort in the community repo like the docs said. It works fairly well but whenever it writes to /var/log/snort/snort.log.* the characters it uses are unreadable. Example: Testing with ping: sudo snort -A console -q -u snort -g snort -c /etc/snort/snort.conf -i eth0 02/13-13:52:45.181625 [**] [1:10000001:0] ICMP test [**] [Priority: 0] {ICMP} 192.168.2.1 -> 192.168.2.3 02/13-13:52:45.181836 [**] [1:10000001:0] ICMP test [**] [Priority: 0] {ICMP} 192.168.2.3 -> 192.168.2.1 02/13-13:52:46.182778 [**] [1:10000001:0] ICMP test [**] [Priority: 0] {ICMP} 192.168.2.1 -> 192.168.2.3 Writing directly to the console appears all good. But the log itself looks like this: cat snort.log.1360777055 ?ò??{??fbb?'????H?~EW@??????s>CQ? !"#$%&'()*+,-./01234567{?rgbb??H?~]?'?ET?\@o??????s>CQ? !"#$%&'()*+,-./01234567|??ibb?'????H?~ET8M@?????#>CQ| !"#$%&'()*+,-./01234567|?Ojbb??H?~]?'?ET?]@o??????#>CQ| I have tried a few different output configurations at this point. Same state regardless of the output options it seems. Also tried to rebuild from scratch using another raspi with the same result (I thought i messed up my locale before compiling snort). Not quite sure what else to try. Same results leaving the snort.conf as default as possible. Any thoughts or comments? Thanks J ------------------------------------------------------------------------------ Free Next-Gen Firewall Hardware Offer Buy your Sophos next-gen firewall before the end March 2013 and get the hardware for free! Learn more. http://p.sf.net/sfu/sophos-d2d-feb _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ Free Next-Gen Firewall Hardware Offer Buy your Sophos next-gen firewall before the end March 2013 and get the hardware for free! Learn more. http://p.sf.net/sfu/sophos-d2d-feb
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- snort logging issue J MCN (Feb 13)
- <Possible follow-ups>
- FW: snort logging issue Y M (Feb 13)