[Snort-devel] [barnyard2-users] Re: Offering a 64bit version of Snort for Windows?

Michael Steele michaels at ...2826...
Wed Oct 31 21:14:24 EDT 2012


After the new install, first run, I noticed those events. After sending the
note about odd events, I refreshed the database, removed the logs and
restarted. Those were the events I posted, from the second new run.

Latest version of Snort, and 310 of barnyard2

I'm not sure about u2spewfoo

Michael...

-----Original Message-----
From: barnyard2-users at ...3154...
[mailto:barnyard2-users at ...3154...] On Behalf Of beenph
Sent: Wednesday, October 31, 2012 9:02 PM
To: Michael Steele
Cc: snort-devel; barnyard2-users at ...3154...
Subject: [barnyard2-users] Re: [Snort-devel] Offering a 64bit version of
Snort for Windows?

On Wed, Oct 31, 2012 at 8:29 PM, Michael Steele <michaels at ...2826...>
wrote:
> In my snort.conf:
>
> output unified2: filename merged.log, limit 128
>
> This is the first time I've seen these entries.
>
There could be many reason why this could happen.
Are you able to reproduce it with an empty log directory and restarting
snort?

Or did someone sent you a unified2 file?

What version of snort was used to produce that unified2 file?

But the essence of the message is  that barnyard2 read a unified2 packet
event and it was sent to the output plugin but since there is no cached
event or previously read event that matches, processing will not go further
since we need a unified2 event (read previously or cached) and a packet to
log to the database.

You also might want to observe the unified2 file structure by using
u2spewfoo.

-elz

-- 









More information about the Snort-devel mailing list