[Snort-devel] unified2 alert files with trailing period and no appended timestamp?

Bhagya Bantwal bbantwal at ...402...
Tue Jan 21 08:27:20 EST 2014


If you remove the nostamp config option, the timstamps will be appended to
the filename.

Thanks!


On Fri, Jan 17, 2014 at 3:49 PM, Mike Cox <mike.cox52 at ...2499...> wrote:

> Unfortunately I cannot (NDA with client).  Other than what I've already
> provided, I can say that the .unified2.alert.0 file appears to be the
> correct unified2 file (and in the correct directory), it's just that
> filename seems to be wack.
>
> I've tried adding flags to the output line like these but I still get the
> same results:
>
>
> *output unified2: filename unified2.alert, nostamp*
>
> *output unified2: filename unified2.alert, mpls_event_types*
>
> Thanks.
>
> -Mike Cox
>
>
> On Fri, Jan 17, 2014 at 1:20 PM, Bhagya Bantwal <bbantwal at ...402...>wrote:
>
>> Hello Mike,
>>
>> Can you send me your snort.conf, pcap and command line?
>>
>> Thanks!
>>
>> B
>>
>>
>>  On Fri, Jan 17, 2014 at 9:04 AM, Mike Cox <mike.cox52 at ...2499...> wrote:
>>
>>>  I'm investigating a client's setup and they are running Snort 2.9.3.1.
>>>
>>> The snort conf file has the following line:
>>>
>>> *output unified2: filename unified2.alert*
>>>
>>> Snort is being run with an explicit '-l' switch to set the log directory.
>>>
>>> When I run a pcap thru the engine that generates an alert, the unified2
>>> alert filename in the log directory looks like this (note the leading
>>> period and lack of appended timestamp):
>>>
>>> *.unified2.alert.0*
>>>
>>> Is this a known bug with this version of Snort?  Any other reason why
>>> this would be happening?
>>>
>>> Thanks.
>>>
>>> -Mike Cox
>>>
>>>
>>> ------------------------------------------------------------------------------
>>> CenturyLink Cloud: The Leader in Enterprise Cloud Services.
>>> Learn Why More Businesses Are Choosing CenturyLink Cloud For
>>> Critical Workloads, Development Environments & Everything In Between.
>>> Get a Quote or Start a Free Trial Today.
>>>
>>> http://pubads.g.doubleclick.net/gampad/clk?id=119420431&iu=/4140/ostg.clktrk
>>> _______________________________________________
>>> Snort-devel mailing list
>>> Snort-devel at lists.sourceforge.net
>>> https://lists.sourceforge.net/lists/listinfo/snort-devel
>>> Archive:
>>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel
>>>
>>> Please visit http://blog.snort.org for the latest news about Snort!
>>>
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20140121/0bf37248/attachment.html>


More information about the Snort-devel mailing list