[Snort-users] Unified2 questions
james.lay at ...15009...
Wed Apr 27 10:22:43 EDT 2011
So yea.....I'm sure you all saw this coming ;)
Now that I have unified2 output, the long and short is: what can I do
with it? I don't want to run barnyard and pipe to a db...I just want to
see the packets command line. My research/results so far:
Cerberus: Old, slow, shareware
U2boat: errors with no packets output:
[08:10:56:~/log$] u2boat snort-unified.1303847056 ~/test.pcap
Defaulting to pcap output.
Error: incomplete record. 662559 of 1073741824 bytes read.
[08:11:01:~/log$] ls -l ~/test.pcap
-rw------- 1 0 2011-04-27 08:11 //test.pcap
U2spewfoo: errors with no results:
[08:15:06 :~/log$] u2spewfoo snort-unified.1303847056
get_record: (2) Failed to read all of record data.
Read 662559 of 1073741824 bytes
I looked at mudpit as well, but again, it seems to be just a data
spooler/redirector. My process for handling snort alerts is:
See the alert in the logs
Do a whois on the remote IP
tshark -X the current snort.pcap file matching the
remote IP to see the raw packet caught
How does unified2 output fit into this type of response? Thanks for any
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-users