[Snort-devel] Offering a 64bit version of Snort for Windows?
beenph at ...2499...
Wed Oct 31 21:02:11 EDT 2012
On Wed, Oct 31, 2012 at 8:29 PM, Michael Steele <michaels at ...2826...> wrote:
> In my snort.conf:
> output unified2: filename merged.log, limit 128
> This is the first time I've seen these entries.
There could be many reason why this could happen.
Are you able to reproduce it with an empty log directory and restarting snort?
Or did someone sent you a unified2 file?
What version of snort was used to produce that unified2 file?
But the essence of the message is that barnyard2 read a unified2 packet event
and it was sent to the output plugin but since there is no cached
event or previously read event that matches,
processing will not go further since we need a unified2 event (read
previously or cached) and a packet to log to the database.
You also might want to observe the unified2 file structure by using u2spewfoo.
More information about the Snort-devel