[Snort-users] event id = 0 on all unified2 events

Jeremy Hoel jthoel at ...11827...
Thu Feb 6 13:25:32 EST 2014


The first comment you'll get is that 2.9.4 is End of Life and it will
be recommended that you upgrade to a more recently supported version
before any other help is probably given.  That's 2.9.5.6 or 2.9.6.0

On Thu, Feb 6, 2014 at 12:56 PM, Eugenio Pérez <eupm90 at ...11827...> wrote:
> Hi everyone.
>
> I've just installed snort and I'm seeing that all events in the unified2
> file have the event id field set to 0.
>
> I've check the rules, and they have all a sid != 0, and I've configured the
> snort.conf unified output plugin like this:
>
> output unified2: filename snort.log, limit 128
>
> The same snort installation runs fine in others machines. So, under what
> circumstances this field is set to 0? Where I should look to get the event
> id field filled?
>
> BTW, I'm using the snort version 2.9.4.0.
>
> Thanks in advance.
>
> ------------------------------------------------------------------------------
> Managing the Performance of Cloud-Based Applications
> Take advantage of what the Cloud has to offer - Avoid Common Pitfalls.
> Read the Whitepaper.
> http://pubads.g.doubleclick.net/gampad/clk?id=121051231&iu=/4140/ostg.clktrk
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort
> news!




More information about the Snort-users mailing list