[Snort-users] Unified2 questions

Joel Esler jesler at ...1935...
Wed Apr 27 10:27:20 EDT 2011


Can't you use "pcap" output in barnyard?

J

On Wed, Apr 27, 2011 at 10:22 AM, Lay, James <james.lay at ...15009...>wrote:

> So yea…..I’m sure you all saw this coming ;)
>
>
>
> Now that I have unified2 output, the long and short is:  what can I do with
> it?  I don’t want to run barnyard and pipe to a db…I just want to see the
> packets command line.  My research/results so far:
>
>
>
> Cerberus:  Old, slow, shareware
>
> U2boat:  errors with no packets output:
>
> [08:10:56:~/log$] u2boat snort-unified.1303847056 ~/test.pcap
>
> Defaulting to pcap output.
>
> Error: incomplete record. 662559 of 1073741824 bytes read.
>
> [08:11:01:~/log$] ls -l ~/test.pcap
>
> -rw------- 1  0 2011-04-27 08:11 //test.pcap
>
> U2spewfoo: errors with no results:
>
>                 [08:15:06 :~/log$] u2spewfoo snort-unified.1303847056
>
> get_record: (2) Failed to read all of record data.
>
> Read 662559 of 1073741824 bytes
>
>
>
> I looked at mudpit as well, but again, it seems to be just a data
> spooler/redirector.  My process for handling snort alerts is:
>
>                 See the alert in the logs
>
>                 Do a whois on the remote IP
>
>                 tshark –X the current snort.pcap file matching the remote
> IP to see the raw packet caught
>
>
>
> How does unified2 output fit into this type of response?  Thanks for any
> help all.
>
>
>
> James
>
>
> ------------------------------------------------------------------------------
> WhatsUp Gold - Download Free Network Management Software
> The most intuitive, comprehensive, and cost-effective network
> management toolset available today.  Delivers lowest initial
> acquisition cost and overall TCO of any competing solution.
> http://p.sf.net/sfu/whatsupgold-sd
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20110427/502b46f4/attachment.html>


More information about the Snort-users mailing list