[Snort-users] Unified2 questions

Lay, James james.lay at ...15009...
Wed Apr 27 11:29:17 EDT 2011

Ok....I got this to fly.....looks like I'll make a new script to gank
what I need on the fly ;)  Thanks Joel.




From: Joel Esler [mailto:jesler at ...1935...] 
Sent: Wednesday, April 27, 2011 8:27 AM
To: Lay, James
Cc: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] Unified2 questions


Can't you use "pcap" output in barnyard?



On Wed, Apr 27, 2011 at 10:22 AM, Lay, James <james.lay at ...15009...>

So yea.....I'm sure you all saw this coming ;)


Now that I have unified2 output, the long and short is:  what can I do
with it?  I don't want to run barnyard and pipe to a db...I just want to
see the packets command line.  My research/results so far:


Cerberus:  Old, slow, shareware

U2boat:  errors with no packets output:

[08:10:56:~/log$] u2boat snort-unified.1303847056 ~/test.pcap

Defaulting to pcap output.

Error: incomplete record. 662559 of 1073741824 bytes read.

[08:11:01:~/log$] ls -l ~/test.pcap

-rw------- 1  0 2011-04-27 08:11 //test.pcap

U2spewfoo: errors with no results:

                [08:15:06 :~/log$] u2spewfoo snort-unified.1303847056

get_record: (2) Failed to read all of record data.

Read 662559 of 1073741824 bytes


I looked at mudpit as well, but again, it seems to be just a data
spooler/redirector.  My process for handling snort alerts is:

                See the alert in the logs

                Do a whois on the remote IP

                tshark -X the current snort.pcap file matching the
remote IP to see the raw packet caught


How does unified2 output fit into this type of response?  Thanks for any
help all.



WhatsUp Gold - Download Free Network Management Software
The most intuitive, comprehensive, and cost-effective network
management toolset available today.  Delivers lowest initial
acquisition cost and overall TCO of any competing solution.
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20110427/78fb70c0/attachment.html>

More information about the Snort-users mailing list