Snort mailing list archives
Re: snort - unified2 format
From: "Steve Crow" <scrow () amarilloheartgroup com>
Date: Wed, 11 Jun 2014 15:24:48 -0500
I will give this a try as well. Steve From: Michael Mittentag [mailto:michael.mittentag () gmail com] Sent: Wednesday, June 11, 2014 10:04 AM To: Joel Esler (jesler) Cc: snort-users () lists sourceforge net Subject: Re: [Snort-users] snort - unified2 formart Great I tried that and it worked! What I did was comment out the following in /etc/sysconfig/snort: #ALERTMODE=fast #BINARY_LOG=1 now when I start snort using /etc/init.d/snortd it runs the following instead: /usr/sbin/snort -d -D -i eth0 -u snort -g snort -c /etc/snort/snort.conf -l /var/log/snort and now I am seeing the snort.u2 and it is sending over to the DB Thanks again for all your help! On Wed, Jun 11, 2014 at 10:44 AM, Joel Esler (jesler) <jesler () cisco com> wrote: You have "-A fast -b” on the command line. This overrides your output directive in the snort.conf -- Joel Esler Open Source Manager Threat Intelligence Team Lead Vulnerability Research Team On Jun 11, 2014, at 10:30 AM, Michael Mittentag <michael.mittentag () gmail com> wrote: I am running the latest version of snort snort-2.9.6.1-1.x86_64 in /etc/snort/snort.conf I added this and commented out the other lines: output unified2: filename snort.u2, limit 128 if I try to start snort using the /etc/init.d/snortd script it runs it as: /usr/sbin/snort -A fast -b -d -D -i eth0 -u snort -g snort -c /etc/snort/snort.conf -l /var/log/snort and I never see those snort u2 files instead I see: /var/log/snort/snort.log.xxxxxxxxxxx and barnyard2 seems to have an issue with reading those files. If i manually run snort form (/usr/sbin/snort -c /etc/snort/snort.conf) without any options it then creates the right file type /var/log/snort/snort.u2.xxxxxxxx It is almost like it is not reading /etc/snort/snort.conf? If anyone has any ideas that would be great. Thanks ------------------------------------------------------------------------------ HPCC Systems Open Source Big Data Platform from LexisNexis Risk Solutions Find What Matters Most in Your Big Data with HPCC Systems Open Source. Fast. Scalable. Simple. Ideal for Dirty Data. Leverages Graph Analysis for Fast Processing & Easy Data Exploration http://p.sf.net/sfu/hpccsystems_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ HPCC Systems Open Source Big Data Platform from LexisNexis Risk Solutions Find What Matters Most in Your Big Data with HPCC Systems Open Source. Fast. Scalable. Simple. Ideal for Dirty Data. Leverages Graph Analysis for Fast Processing & Easy Data Exploration http://p.sf.net/sfu/hpccsystems
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- snort - unified2 formart Michael Mittentag (Jun 11)
- Re: snort - unified2 formart Joel Esler (jesler) (Jun 11)
- Re: snort - unified2 formart Michael Mittentag (Jun 11)
- Re: snort - unified2 format Steve Crow (Jun 11)
- Re: snort - unified2 formart Michael Mittentag (Jun 11)
- <Possible follow-ups>
- Re: snort - unified2 formart Y M (Jun 11)
- Re: snort - unified2 formart Joel Esler (jesler) (Jun 11)