[Snort-users] snort suddenly stopped to record events
peter.bates at ...15381...
Wed Jul 24 11:20:28 EDT 2013
-----BEGIN PGP SIGNED MESSAGE-----
On 24/07/2013 15:00, Alex wrote:
> Now, in snort.conf I have 2 lines defined for output:
> output unified2: filename merged.log, limit 128
> output alert_syslog: LOG_AUTH LOG_ALERT
Yes - there are 2 lines, so you have defined 2 different outputs.
Are you trying to output to unified2 (the first line), or syslog, or both?
I'd recommend sticking to unified2 only
unless you only want to read alerts via syslog, and then
I'd use the second line.
Personally I'm writing to unified2 and then using BY2
to read from those files and output to syslog and a DB.
> Now, I've started snort as daemon and tried to generate some traffic again,
> telneting another host from the same source (192.168.51.59)
> telnet 192.168.51.100 80! Unfortunatelly, this time tcpdump will show and
> record only arp request:
> [root at ...4157... ~]# tcpdump -i eth4 -v host 192.168.51.59
> tcpdump: WARNING: eth4: no IPv4 address assigned
> tcpdump: listening on eth4, link-type EN10MB (Ethernet), capture size 96
> 16:20:41.672663 arp who-has 192.168.51.59 tell 192.168.51.100
If tcpdump is not seeing your traffic on eth4 then that's nothing to do with Snort!
Senior Information Security Officer Phone: +44(0)2076792049
Information Services Division Internal Ext: 32049
University College London
London WC1E 6BT
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (MingW32)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
-----END PGP SIGNATURE-----
More information about the Snort-users