[Snort-users] Snort ->Barnyard2

beenph beenph at ...11827...
Mon Aug 29 23:57:13 EDT 2011


On Mon, Aug 29, 2011 at 11:08 PM, James Kaufman
<jmk at ...15089...> wrote:
> Snort 2.9.1 is running on my CentOS 5.6 server. I compiled snort from
> tarball:
>
> # snort -V
>
>    ,,_     -*> Snort! <*-
>   o"  )~   Version 2.9.1 IPv6 GRE (Build 71)
>    ''''    By Martin Roesch & The Snort Team:
> http://www.snort.org/snort/snort-team
>            Copyright (C) 1998-2011 Sourcefire, Inc., et al.
>            Using libpcap version 1.1.1
>            Using PCRE version: 6.6 06-Feb-2006
>            Using ZLIB version: 1.2.3
>
> # ps -aef|grep snort
>
> snort    31528     1  0 Aug27 ?        00:03:17 /usr/local/bin/snort -b
> -d -D -i eth0 -u snort -g snort -c /etc/snort/snort.conf -l /var/log/snort
>
> I have this in snort.conf:
>
> # unified2
> # Recommended for most installs
> output unified2: filename merged.log, limit 128, nostamp
>
> There are no other uncommented output lines.
>
> /var/log/snort has:
>
> # dir -l
> total 1168
> -rw-r--r-- 1 root  root  676540 Aug 28 09:47 alert
> -rw------- 1 snort snort 149779 Aug 27 13:52 snort.log.1314471019
> -rw------- 1 snort snort 339181 Aug 28 09:47 snort.log.1314471620
>
>

Have you tried to look on your system for merged.log* file?

Also if you intend to use barnyard2 make sure to remove the nostamp
option from your snort.conf output unified2 line,
barnyard running in continuous wont  process it , and after 128mb
snort will overwrite your file (unless this benavior has changed).

Is your snort process freshly restarted or did you kill -HUP it with
some config changes?

Are you sure the your snort process is using the good config file?

I hope this can help you.

-elz




More information about the Snort-users mailing list