[Snort-users] @snort.u2 file size 0 bytes

Peter Bates peter.bates at ...15381...
Thu Sep 5 04:09:15 EDT 2013


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Hello all

On 05/09/2013 07:47, anagha b wrote:
> I checked my snort.u2 file size is 0 bytes.

Okay - Snort should be generating some logs, and BY2 is for
processing the logs that Snort produces.
For now I'd ignore BY2 if your snort.u2 file is 0 bytes.

Check Snort is configured to log to a unified2 file:

grep '^output' /path/to/snort.conf
output unified2: filename snort.log, limit 128

Run Snort in the foreground with

/path/to/snort -c /path/to/snort.conf -i ethX
where X is your 'sniffing' interface.

Generate some traffic.

Ctrl-C to end Snort.

Look to see if your .u2 file has been created and is not 0 bytes.

The default location for this is probably /var/log/snort but can
also be configured with 'logdir' in snort.conf.

If the .u2 file contains data, try running Snort as above again
to see if it makes a new file and also contains data.

You can use u2spewfoo to query the unified2 files.

When you're 100% sure that Snort is capturing traffic,
move onto BY2 and you can try running that in the foreground initially
as well.

/path/to/barnyard2 -c /path/to/barnyard2.conf -d /var/log/snort -w /var/log/snort/bylog.waldo -f snort.u2

- -- 
Peter Bates
Senior Information Security Officer   Phone: +44(0)2076792049
Information Services Division	      Internal Ext: 32049
University College London
London WC1E 6BT
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (MingW32)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQEcBAEBAgAGBQJSKDwqAAoJELhVoVpEMS6R8dkH/1WJTKn838BCzu5z1D+RQTE2
dcLqlYgFIs2XY+LQYEkT85LGEEiB31z0cA1GPz43SzXIOgzI+/ZkF0YV2/qiGiUR
7UiHJVDwXgVVngcHpePU9rGTg5pYr3jiAgnxKE8nkUOuMLXQt8uX+kS5niucaSkJ
+AYPZ4joA6xcdxgXFauFG+eSFh4X1q5itYi3+iRdGmrog7wzSyzPubm+lLHRHCSW
erIXEzLCEUCVR7Iv23FL3RWJfZOh/5qZYgUj0gq652zUo17lsCqZReXgcbWki0nX
e8GFZWtYkMmTnliH7ZRim/X94G+WbgJ0f+qm5xqBcGfVvCofEnkVKhJNSUn9jy4=
=eSoX
-----END PGP SIGNATURE-----





More information about the Snort-users mailing list