[Snort-users] snort - unified2 format

Steve Crow scrow at ...16818...
Wed Jun 11 16:24:48 EDT 2014


I will give this a try as well.

 

Steve 

 

From: Michael Mittentag [mailto:michael.mittentag at ...11827...] 
Sent: Wednesday, June 11, 2014 10:04 AM
To: Joel Esler (jesler)
Cc: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] snort - unified2 formart

 

Great I tried that and it worked!

 

 

What I did was comment out the following in /etc/sysconfig/snort:

 

#ALERTMODE=fast

#BINARY_LOG=1

 

now when I start snort using /etc/init.d/snortd it runs the following instead:

 

/usr/sbin/snort -d -D -i eth0 -u snort -g snort -c /etc/snort/snort.conf -l /var/log/snort

 

 

and now I am seeing the snort.u2 and it is sending over to the DB 

 

Thanks again for all your help!

 

 

 

 

On Wed, Jun 11, 2014 at 10:44 AM, Joel Esler (jesler) <jesler at ...589...> wrote:

You have "-A fast -b” on the command line.  This overrides your output directive in the snort.conf 

 

--
Joel Esler
Open Source Manager
Threat Intelligence Team Lead
Vulnerability Research Team

 

On Jun 11, 2014, at 10:30 AM, Michael Mittentag <michael.mittentag at ...13704......> wrote:

 

I am running the latest version of snort 

 

snort-2.9.6.1-1.x86_64

 

in /etc/snort/snort.conf

 

 

I added this and commented out the other lines:

 

output unified2: filename snort.u2, limit 128

 

 

if I try to start snort using the /etc/init.d/snortd script it runs it as:

 

 

/usr/sbin/snort -A fast -b -d -D -i eth0 -u snort -g snort -c /etc/snort/snort.conf -l /var/log/snort

 

 

and I never see those snort u2 files instead I see:

 

/var/log/snort/snort.log.xxxxxxxxxxx

 

 

and barnyard2 seems to have an issue with reading those files.

 

 

If i manually run snort form (/usr/sbin/snort -c /etc/snort/snort.conf) without any options it then creates the right file type /var/log/snort/snort.u2.xxxxxxxx

 

 

It is almost like it is not reading /etc/snort/snort.conf?

 

If anyone has any ideas that would be great.

 

 

Thanks

 

 

 

 

------------------------------------------------------------------------------
HPCC Systems Open Source Big Data Platform from LexisNexis Risk Solutions
Find What Matters Most in Your Big Data with HPCC Systems
Open Source. Fast. Scalable. Simple. Ideal for Dirty Data.
Leverages Graph Analysis for Fast Processing & Easy Data Exploration
http://p.sf.net/sfu/hpccsystems_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

 

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20140611/7374e7fd/attachment.html>


More information about the Snort-users mailing list