[Snort-users] Lets talk about ....

Peter Bates peter.bates at ...15381...
Tue Oct 9 04:10:54 EDT 2012


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Hello all

On 08/10/2012 23:28, AllowOverride wrote:
> next topic, revisited:
> 
> u2spewfoo snort.log.1349734894 
> get_record: (2) Failed to read all of record data.
> 	Read 14476 of 33555456 bytes
> 
> why?
> 
> i run snort/barnyard2 this way: should i change?
> 
> /usr/local/bin/snort -A fast -c /etc/snort/etc/snort.conf -i eth0 &

I should have made it clearer in my previous email, but you should drop
the -A fast.

# snort -A fast -c /etc/snort/snort.conf -i eth1
<snip>
Commencing packet processing (pid=7855)
Decoding Ethernet

# ls -hl
total 12K
- -rw-r--r-- 1 root  snort  448 Oct  9 09:05 alert
- -rw------- 1 snort snort  480 Oct  9 09:05 snort.log.1349769868

# file snort.log.1349769868
snort.log.1349769868: tcpdump capture file (little-endian) - version 2.4 (Ethernet, capture length 1514)

Again, Snort is creating a pcap file and not a unified2 log.

# snort -c /etc/snort/snort.conf -i eth1
<snip>
Commencing packet processing (pid=7882)
Decoding Ethernet

# ls -hl
total 8.0K
- -rw------- 1 snort snort 1.2K Oct  9 09:07 snort.log.1349770017

# file snort.log.1349770017
snort.log.1349770017: data

# u2spewfoo snort.log.1349770017 |grep sig
        sig id: 10000001        gen id: 1       revision: 0      classification: 0

Obviously when all is running fine you can daemonize with -D.
Using & you're backgrounding any startup errors you might see.

After this I suspect barnyard2 will work fine as it 
will have the unified2 input it is expecting.

- -- 
Peter Bates
Senior Information Security Officer   Phone: +44(0)2076792049
Information Services Division	      Internal Ext: 32049
University College London
London WC1E 6BT
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/

iQEcBAEBAgAGBQJQc9wOAAoJELhVoVpEMS6RjaQH/3da/us0zZr+Pvn5fqZRN8lX
NVncLkQxX4KviNd/WgedSksIkNEtUCDROK6e5dWqHuX6mq2udEPTCmv0/nDOxY2a
wePhaGsdkgPkNEdn3OWBUQzpuolOf/QYfqVM3WgyS/jMIbyNkLKK251Sln3epvwX
7MHTgNJTe02wsmLeteMbSAZPtkpMoQskqyhuBaI3ecAw5IuMDIjMWZIwXnlx+MZf
dZ+qjVOsR5P7n53WBSji5IuHSALjWZv/M+i8DnkwMSXiIepeajnhMN20BxJilWQL
3g3dNn8XneM43sMsX6ZI5KLY9TDIzk5ZxrA6j9cJbYjmjPs6PV2GaE3X5lDrJIM=
=ABRW
-----END PGP SIGNATURE-----





More information about the Snort-users mailing list