[Snort-devel] unified2 alert files with trailing period and no appended timestamp?

Mike Cox mike.cox52 at ...2499...
Fri Jan 24 09:30:50 EST 2014


Thanks Bhagaya,

I understand what you are saying but the 'nostamp' option wasn't present
when I experienced this issue.  I added it for a test to see if the
filename ('.unified2.alert.0') would be different.  It was not.  The
configuration that is used when I experience this issue is still this:


*output unified2: filename unified2.alert*
Thanks.

-Mike Cox



On Tue, Jan 21, 2014 at 8:27 AM, Bhagya Bantwal <bbantwal at ...402...>wrote:

> If you remove the nostamp config option, the timstamps will be appended to
> the filename.
>
> Thanks!
>
>
> On Fri, Jan 17, 2014 at 3:49 PM, Mike Cox <mike.cox52 at ...2499...> wrote:
>
>> Unfortunately I cannot (NDA with client).  Other than what I've already
>> provided, I can say that the .unified2.alert.0 file appears to be the
>> correct unified2 file (and in the correct directory), it's just that
>> filename seems to be wack.
>>
>> I've tried adding flags to the output line like these but I still get the
>> same results:
>>
>>
>> *output unified2: filename unified2.alert, nostamp*
>>
>> *output unified2: filename unified2.alert, mpls_event_types*
>>
>> Thanks.
>>
>> -Mike Cox
>>
>>
>> On Fri, Jan 17, 2014 at 1:20 PM, Bhagya Bantwal <bbantwal at ...402...>wrote:
>>
>>> Hello Mike,
>>>
>>> Can you send me your snort.conf, pcap and command line?
>>>
>>> Thanks!
>>>
>>> B
>>>
>>>
>>>  On Fri, Jan 17, 2014 at 9:04 AM, Mike Cox <mike.cox52 at ...2499...> wrote:
>>>
>>>>  I'm investigating a client's setup and they are running Snort 2.9.3.1.
>>>>
>>>> The snort conf file has the following line:
>>>>
>>>> *output unified2: filename unified2.alert*
>>>>
>>>> Snort is being run with an explicit '-l' switch to set the log
>>>> directory.
>>>>
>>>> When I run a pcap thru the engine that generates an alert, the unified2
>>>> alert filename in the log directory looks like this (note the leading
>>>> period and lack of appended timestamp):
>>>>
>>>> *.unified2.alert.0*
>>>>
>>>> Is this a known bug with this version of Snort?  Any other reason why
>>>> this would be happening?
>>>>
>>>> Thanks.
>>>>
>>>> -Mike Cox
>>>>
>>>>
>>>> ------------------------------------------------------------------------------
>>>> CenturyLink Cloud: The Leader in Enterprise Cloud Services.
>>>> Learn Why More Businesses Are Choosing CenturyLink Cloud For
>>>> Critical Workloads, Development Environments & Everything In Between.
>>>> Get a Quote or Start a Free Trial Today.
>>>>
>>>> http://pubads.g.doubleclick.net/gampad/clk?id=119420431&iu=/4140/ostg.clktrk
>>>> _______________________________________________
>>>> Snort-devel mailing list
>>>> Snort-devel at lists.sourceforge.net
>>>> https://lists.sourceforge.net/lists/listinfo/snort-devel
>>>> Archive:
>>>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel
>>>>
>>>> Please visit http://blog.snort.org for the latest news about Snort!
>>>>
>>>
>>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20140124/0e0edc42/attachment.html>


More information about the Snort-devel mailing list