[Snort-users] reading snort logs

James Lay jlay at ...13475...
Sun Apr 21 11:28:48 EDT 2013

Snort MiniFAQ

Snort is an IDS/IPS that can listen on live interfaces and read pcaps (run with -r).  If you're running anything besides the latest snort (http://www.snort.org/snort-downloads) then stop reading and install that FIRST.  The internet is chock full of outdated how-to's with snort.  If you've used one to install snort, then be prepared to make some changes. 

Snort can (add to your snort.conf) output to human readable text (output alert_fast:), unified2 filetype (output unified2:), syslog (output alert_syslog:), and pcap file format (output log_tcpdump:).

If you're wanting database support, then barnyard2 is the application you'll want to read the unified2 files that will get put into your database.  If you want to listen to multiple interfaces and have multiple sources of data, then your'e going to have to have multiple instances of snort and barnyard2 running.  In a nutshell you'll want for example a snort1.conf, snort2.conf, and snort3, conf as well as a barnyard1.conf, barnyard2.conf, and barnyard2.conf.  You can have the unified2 files be differently named, or read from different directories.

On Apr 21, 2013, at 8:16 AM, "MCLEOD, DONNIE" <DMCLEO11 at ...16247...> wrote:

> Hi, can anyone tell me how to open and read snort logs?
> I'am a newbe to snort,thanks 
> Don
> ------------------------------------------------------------------------------
> Precog is a next-generation analytics platform capable of advanced
> analytics on semi-structured data. The platform includes APIs for building
> apps and a phenomenal toolset for data science. Developers can use
> our toolset for easy data analysis & visualization. Get a free account!
> http://www2.precog.com/precogplatform/slashdotnewsletter_______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> Please visit http://blog.snort.org to stay current on all the latest Snort news!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130421/d027f611/attachment.html>

More information about the Snort-users mailing list