Snort mailing list archives
Re: Snort3 with ELK
From: Waiting Zeng <waiting () edison tech>
Date: Tue, 24 Jul 2018 10:14:27 +0800
Thanks very much, I build with master and it is fine now. Did you know how to test the rules to verify it is OK? On Tue, Jul 24, 2018 at 4:40 AM, Russ <rucombs () cisco com> wrote:
Hi Waiting, Re the json error: looks like that post omitted mention of snort3_extra so I'm guessing you didn't build and install the extras. With build 243, json support was in the extras. If you get the latest from github, json support is in snort3 so you won't need extras: https://github.com/snort3/snort3.git Re running ok: that really depends on what you are trying to do. Please have a look at the snort3_demo repo which has many working examples to help get you started: https://github.com/snort3/snort3_demo.git Thanks Russ On 7/22/18 10:17 PM, Waiting Zeng wrote: I follow the link https://blog.snort.org/2017/11/snort-30-with- elasticsearch-logstash.html for setup. but have some issue. #1, error log -------------------------------------------------- o")~ Snort++ 3.0.0-243 -------------------------------------------------- Loading /usr/local/snort/etc/snort/snort.lua: ssh pop binder stream_tcp gtp_inspect dce_http_proxy stream_icmp normalizer ftp_server stream_udp dce_smb modbus ips ssl latency wizard appid file_id ftp_data back_orifice smtp port_scan dce_http_server dce_tcp telnet classifications sip rpc_decode http_inspect stream_ip stream_user dnp3 ftp_client stream references arp_spoof dns dce_udp imap stream_file Finished /usr/local/snort/etc/snort/snort.lua. ERROR: unknown logger alert_json Loading rules: Loading snort3-community-rules/snort3-community.rules: Finished snort3-community-rules/snort3-community.rules. Finished rules. -------------------------------------------------- rule counts total rules loaded: 829 text rules: 829 option chains: 829 chain headers: 46 -------------------------------------------------- port rule counts tcp udp icmp ip any 63 3 0 0 src 124 3 0 0 dst 539 98 0 0 both 0 1 0 0 total 726 105 0 0 -------------------------------------------------- flowbits defined: 20 not checked: 11 not set: 3 -------------------------------------------------- service rule counts - tcp to-srv to-cli dns: 1 0 ftp: 7 2 ftp-data: 0 8 http: 485 92 imap: 0 8 irc: 4 1 netbios-ssn: 15 1 pop3: 0 8 smtp: 16 0 ssl: 14 31 telnet: 1 0 total: 543 151 -------------------------------------------------- service rule counts - udp to-srv to-cli dns: 88 2 http: 4 0 total: 92 2 -------------------------------------------------- fast pattern port groups src dst any packet: 13 24 2 -------------------------------------------------- fast pattern service groups to-srv to-cli packet: 10 6 key: 1 0 header: 1 4 body: 1 0 file: 2 4 -------------------------------------------------- search engine instances: 65 patterns: 2719 pattern chars: 49786 num states: 38972 num match states: 2649 memory scale: MB total memory: 1.04895 pattern memory: 0.151139 match list memory: 0.384735 transition memory: 0.505138 -------------------------------------------------- pcap DAQ configured to passive. FATAL: see prior 1 errors (0 warnings) Fatal Error, Quitting.. #2, how to test if the snort3 have run fine? -- Thank Waiting _______________________________________________ Snort-users mailing listSnort-users () lists snort org Go to this URL to change user options or unsubscribe:https://lists.snort.org/mailman/listinfo/snort-users To unsubscribe, send an email to: snort-users-leave () lists snort org Please visit http://blog.snort.org to stay current on all the latest Snort news! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette
-- Thank Waiting
_______________________________________________ Snort-users mailing list Snort-users () lists snort org Go to this URL to change user options or unsubscribe: https://lists.snort.org/mailman/listinfo/snort-users To unsubscribe, send an email to: snort-users-leave () lists snort org Please visit http://blog.snort.org to stay current on all the latest Snort news! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette
Current thread:
- Snort3 with ELK Waiting Zeng (Jul 23)
- Re: Snort3 with ELK Y M via Snort-users (Jul 24)
- Re: Snort3 with ELK Russ via Snort-users (Jul 24)
- Re: Snort3 with ELK Waiting Zeng (Jul 24)