[Snort-users] snort - unified2 formart

Michael Mittentag michael.mittentag at ...11827...
Wed Jun 11 11:04:27 EDT 2014


Great I tried that and it worked!


What I did was comment out the following in /etc/sysconfig/snort:

#ALERTMODE=fast
#BINARY_LOG=1

now when I start snort using /etc/init.d/snortd it runs the following
instead:

/usr/sbin/snort -d -D -i eth0 -u snort -g snort -c /etc/snort/snort.conf -l
/var/log/snort


and now I am seeing the snort.u2 and it is sending over to the DB

Thanks again for all your help!





On Wed, Jun 11, 2014 at 10:44 AM, Joel Esler (jesler) <jesler at ...589...>
wrote:

>  You have "-A fast -b” on the command line.  This overrides your output
> directive in the snort.conf
>
>  --
> *Joel Esler*
> Open Source Manager
> Threat Intelligence Team Lead
> Vulnerability Research Team
>
>  On Jun 11, 2014, at 10:30 AM, Michael Mittentag <
> michael.mittentag at ...11827...> wrote:
>
>  I am running the latest version of snort
>
>  snort-2.9.6.1-1.x86_64
>
>  in /etc/snort/snort.conf
>
>
>  I added this and commented out the other lines:
>
>  output unified2: filename snort.u2, limit 128
>
>
>  if I try to start snort using the /etc/init.d/snortd script it runs it
> as:
>
>
>  /usr/sbin/snort -A fast -b -d -D -i eth0 -u snort -g snort -c
> /etc/snort/snort.conf -l /var/log/snort
>
>
>  and I never see those snort u2 files instead I see:
>
>  /var/log/snort/snort.log.xxxxxxxxxxx
>
>
>  and barnyard2 seems to have an issue with reading those files.
>
>
>  If i manually run snort form (/usr/sbin/snort -c /etc/snort/snort.conf)
> without any options it then creates the right file type
> /var/log/snort/snort.u2.xxxxxxxx
>
>
>  It is almost like it is not reading /etc/snort/snort.conf?
>
>  If anyone has any ideas that would be great.
>
>
>  Thanks
>
>
>
>
>
> ------------------------------------------------------------------------------
> HPCC Systems Open Source Big Data Platform from LexisNexis Risk Solutions
> Find What Matters Most in Your Big Data with HPCC Systems
> Open Source. Fast. Scalable. Simple. Ideal for Dirty Data.
> Leverages Graph Analysis for Fast Processing & Easy Data Exploration
>
> http://p.sf.net/sfu/hpccsystems_______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20140611/ce5f6269/attachment.html>


More information about the Snort-users mailing list