[Snort-users] Unified2 questions

Lay, James james.lay at ...15009...
Wed Apr 27 10:22:43 EDT 2011


So yea.....I'm sure you all saw this coming ;)

 

Now that I have unified2 output, the long and short is:  what can I do
with it?  I don't want to run barnyard and pipe to a db...I just want to
see the packets command line.  My research/results so far:

 

Cerberus:  Old, slow, shareware

U2boat:  errors with no packets output:

[08:10:56:~/log$] u2boat snort-unified.1303847056 ~/test.pcap

Defaulting to pcap output.

Error: incomplete record. 662559 of 1073741824 bytes read.

[08:11:01:~/log$] ls -l ~/test.pcap

-rw------- 1  0 2011-04-27 08:11 //test.pcap

U2spewfoo: errors with no results:

                [08:15:06 :~/log$] u2spewfoo snort-unified.1303847056

get_record: (2) Failed to read all of record data.

Read 662559 of 1073741824 bytes

 

I looked at mudpit as well, but again, it seems to be just a data
spooler/redirector.  My process for handling snort alerts is:

                See the alert in the logs

                Do a whois on the remote IP

                tshark -X the current snort.pcap file matching the
remote IP to see the raw packet caught

 

How does unified2 output fit into this type of response?  Thanks for any
help all.

 

James

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20110427/4556d51f/attachment.html>


More information about the Snort-users mailing list