[Snort-devel] unified2 alert files with trailing period and no appended timestamp?

Mike Cox mike.cox52 at ...2499...
Fri Jan 17 15:49:54 EST 2014


Unfortunately I cannot (NDA with client).  Other than what I've already
provided, I can say that the .unified2.alert.0 file appears to be the
correct unified2 file (and in the correct directory), it's just that
filename seems to be wack.

I've tried adding flags to the output line like these but I still get the
same results:


*output unified2: filename unified2.alert, nostamp*

*output unified2: filename unified2.alert, mpls_event_types*

Thanks.

-Mike Cox


On Fri, Jan 17, 2014 at 1:20 PM, Bhagya Bantwal <bbantwal at ...402...>wrote:

> Hello Mike,
>
> Can you send me your snort.conf, pcap and command line?
>
> Thanks!
>
> B
>
>
> On Fri, Jan 17, 2014 at 9:04 AM, Mike Cox <mike.cox52 at ...2499...> wrote:
>
>> I'm investigating a client's setup and they are running Snort 2.9.3.1.
>>
>> The snort conf file has the following line:
>>
>> *output unified2: filename unified2.alert*
>>
>> Snort is being run with an explicit '-l' switch to set the log directory.
>>
>> When I run a pcap thru the engine that generates an alert, the unified2
>> alert filename in the log directory looks like this (note the leading
>> period and lack of appended timestamp):
>>
>> *.unified2.alert.0*
>>
>> Is this a known bug with this version of Snort?  Any other reason why
>> this would be happening?
>>
>> Thanks.
>>
>> -Mike Cox
>>
>>
>> ------------------------------------------------------------------------------
>> CenturyLink Cloud: The Leader in Enterprise Cloud Services.
>> Learn Why More Businesses Are Choosing CenturyLink Cloud For
>> Critical Workloads, Development Environments & Everything In Between.
>> Get a Quote or Start a Free Trial Today.
>>
>> http://pubads.g.doubleclick.net/gampad/clk?id=119420431&iu=/4140/ostg.clktrk
>> _______________________________________________
>> Snort-devel mailing list
>> Snort-devel at lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/snort-devel
>> Archive:
>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel
>>
>> Please visit http://blog.snort.org for the latest news about Snort!
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20140117/c764acba/attachment.html>


More information about the Snort-devel mailing list