[Snort-devel] Not working unified2 module in snort++ (snort 3.0)

박종일 pji5732 at ...3549...
Thu Jan 15 02:03:15 EST 2015


I want to save the log file of snort 3.0 as unified2 file.
however, i be unable to do it
my case is create unified2 file
but, file is no contents
my setting (snort.lua)
------------------------------------------------------------------------------------------------------------------------------------------------------- Snort++ configuration---------------------------------------------------------------------------
----------------------------------------------------------------------------- setup environment----------------------------------------------------------------------------- given:-- export DIR=/install/path-- configure --prefix=$DIR-- make install---- then:-- export LUA_PATH=$DIR/include/snort/lua/?.lua\;\;-- export SNORT_LUA_PATH=$DIR/conf/---------------------------------------------------------------------------
----------------------------------------------------------------------------- setup the basics---------------------------------------------------------------------------
require('snort_config')  -- for loading
-- Setup the network addresses you are protectingHOME_NET = '192.168.223.0/24'
-- Set up the external network addresses.-- (leave as "any" in most situations)EXTERNAL_NET = not HOME_NET
conf_dir = os.getenv('SNORT_LUA_PATH')
if ( not conf_dir ) then    conf_dir = '.'end
dofile(conf_dir .. '/snort_defaults.lua')dofile(conf_dir .. '/classification.lua')dofile(conf_dir .. '/reference.lua')
----------------------------------------------------------------------------- configure modules------------------------------------------------------------------------------- mod = { } uses internal defaults-- you can see them with snort --help-module mod-- comment or delete to disable mod functionality---- you can also use default_ftp_server and default_wizard---------------------------------------------------------------------------
--pcap file--log_pcap = { }--log_pcap.limit = 0--log_pcap.units = B-- uncomment ppm if you built with --enable-ppmppm = { }
-- uncomment profile if you built with --enable-perfprofile--profile = { }
-- uncomment normalizer if you are inline or not --pedantic--normalizer = { }
stream = { }stream_ip = { }stream_icmp = { }stream_tcp = { }stream_udp = { }
perf_monitor = { }--perf_monitor.console = true--perf_monitor.file = falseperf_monitor.seconds = 10perf_monitor.packets = 5

arp_spoof = { }back_orifice = { }rpc_decode = { }port_scan = { }telnet = { }
-- use http_inspect or new_http_inspect (incomplete)http_inspect = { }--new_http_inspect = { }
ftp_server = default_ftp_serverftp_client = { }ftp_data = { }
wizard = default_wizard

--unified2 & outputalert_fast = { }alert_syslog = { }unified2 = { }unified2.nostamp = tureoutput = { }
--------------------------------------------------------------------------

and then,  i start it
command : snort -i env16777736  -c /usr/lib/etc/snort/snort.lua -K text 
however, file's contents is not
[root at ...196... ~]# lltotal 39016drwxr-xr-x.  2 root root        27 Jan 11 23:57 a-rw-------.  1 root root       979 Jan 11 19:02 anaconda-ks.cfg-rwxr--r--.  1 root root      1011 Jan 12 01:43 autoinstall.shdrwxr-xr-x. 11 root root      4096 Jan 14 00:00 barnyard2drwxr-xr-x.  6 root root      4096 Jan 11 23:39 daq-2.0.4-rw-r--r--.  1 root root    495316 Oct 23 12:57 daq-2.0.4.tar.gzdrwxr-xr-x.  9  501   501     4096 Jan 11 21:03 libdnet-1.12-rw-r--r--.  1 root root    970125 Jan 20  2007 libdnet-1.12.tgz-rw-------.  1 root root     38654 Jan 14 12:09 log.pcapdrwxr-xr-x.  9  501 games     4096 Jan 14 07:45 snort-3.0.0-a1-rw-r--r--.  1 root root   2811656 Dec 10 07:44 snort-3.0.0-a1-130-auto.tar.gzdrwxr-xr-x.  4  501 games     4096 Jan 14 07:30 snort_extra-1.0.0-a1-rw-r--r--.  1 root root    381847 Dec 16 12:55 snort_extra-1.0.0-a1-130-auto.tar.gz-rw-r--r--.  1 root root  35213966 Jan 13 13:59 snortrules-2970.tar.gz-rw-------.  1 root root         0 Jan 14 12:41 unified2log.u2.1421257261-rw-------.  1 root root         0 Jan 14 12:43 unified2log.u2.1421257384-rw-------.  1 root root         0 Jan 14 12:45 unified2log.u2.1421257511-rw-------.  1 root root         0 Jan 14 12:47 unified2log.u2.1421257621-rw-------.  1 root root         0 Jan 14 13:47 unified2log.u2.1421261256[root at ...196... ~]# cat unified2log.u2.1421261256[root at ...196... ~]#


please help me....
블로그서명시작했다면 끝을 보아라
자기소개를 입력하세요.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20150115/48c39ccb/attachment.html>


More information about the Snort-devel mailing list