[Snort-users] @snort.u2 file size 0 bytes
peter.bates at ...15381...
Thu Sep 5 04:09:15 EDT 2013
-----BEGIN PGP SIGNED MESSAGE-----
On 05/09/2013 07:47, anagha b wrote:
> I checked my snort.u2 file size is 0 bytes.
Okay - Snort should be generating some logs, and BY2 is for
processing the logs that Snort produces.
For now I'd ignore BY2 if your snort.u2 file is 0 bytes.
Check Snort is configured to log to a unified2 file:
grep '^output' /path/to/snort.conf
output unified2: filename snort.log, limit 128
Run Snort in the foreground with
/path/to/snort -c /path/to/snort.conf -i ethX
where X is your 'sniffing' interface.
Generate some traffic.
Ctrl-C to end Snort.
Look to see if your .u2 file has been created and is not 0 bytes.
The default location for this is probably /var/log/snort but can
also be configured with 'logdir' in snort.conf.
If the .u2 file contains data, try running Snort as above again
to see if it makes a new file and also contains data.
You can use u2spewfoo to query the unified2 files.
When you're 100% sure that Snort is capturing traffic,
move onto BY2 and you can try running that in the foreground initially
/path/to/barnyard2 -c /path/to/barnyard2.conf -d /var/log/snort -w /var/log/snort/bylog.waldo -f snort.u2
Senior Information Security Officer Phone: +44(0)2076792049
Information Services Division Internal Ext: 32049
University College London
London WC1E 6BT
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (MingW32)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
-----END PGP SIGNATURE-----
More information about the Snort-users