[Snort-users] snort - unified2 formart

Y M snort at ...15979...
Wed Jun 11 10:44:01 EDT 2014

The -A fast in the first command is overriding your unified2 output plugin in snort.conf. Remove it and it should work fine.

The -A fast will write in binary format and not unified2.


Sent from Mobile
From: Michael Mittentag<mailto:michael.mittentag at ...11827...>
Sent: ‎6/‎11/‎2014 5:34 PM
To: snort-users at lists.sourceforge.net<mailto:snort-users at ...3783...net>
Subject: [Snort-users] snort - unified2 formart

I am running the latest version of snort


in /etc/snort/snort.conf

I added this and commented out the other lines:

output unified2: filename snort.u2, limit 128

if I try to start snort using the /etc/init.d/snortd script it runs it as:

/usr/sbin/snort -A fast -b -d -D -i eth0 -u snort -g snort -c
/etc/snort/snort.conf -l /var/log/snort

and I never see those snort u2 files instead I see:


and barnyard2 seems to have an issue with reading those files.

If i manually run snort form (/usr/sbin/snort -c /etc/snort/snort.conf)
without any options it then creates the right file type

It is almost like it is not reading /etc/snort/snort.conf?

If anyone has any ideas that would be great.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20140611/4ea2fe94/attachment.html>
-------------- next part --------------
HPCC Systems Open Source Big Data Platform from LexisNexis Risk Solutions
Find What Matters Most in Your Big Data with HPCC Systems
Open Source. Fast. Scalable. Simple. Ideal for Dirty Data.
Leverages Graph Analysis for Fast Processing & Easy Data Exploration
-------------- next part --------------
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:

Please visit http://blog.snort.org to stay current on all the latest Snort news!

More information about the Snort-users mailing list