[Snort-users] snort - unified2 format

Steve Crow scrow at ...16818...
Wed Jun 11 16:24:48 EDT 2014

I will give this a try as well.




From: Michael Mittentag [mailto:michael.mittentag at ...11827...] 
Sent: Wednesday, June 11, 2014 10:04 AM
To: Joel Esler (jesler)
Cc: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] snort - unified2 formart


Great I tried that and it worked!



What I did was comment out the following in /etc/sysconfig/snort:





now when I start snort using /etc/init.d/snortd it runs the following instead:


/usr/sbin/snort -d -D -i eth0 -u snort -g snort -c /etc/snort/snort.conf -l /var/log/snort



and now I am seeing the snort.u2 and it is sending over to the DB 


Thanks again for all your help!





On Wed, Jun 11, 2014 at 10:44 AM, Joel Esler (jesler) <jesler at ...589...> wrote:

You have "-A fast -b” on the command line.  This overrides your output directive in the snort.conf 


Joel Esler
Open Source Manager
Threat Intelligence Team Lead
Vulnerability Research Team


On Jun 11, 2014, at 10:30 AM, Michael Mittentag <michael.mittentag at ...13704......> wrote:


I am running the latest version of snort 




in /etc/snort/snort.conf



I added this and commented out the other lines:


output unified2: filename snort.u2, limit 128



if I try to start snort using the /etc/init.d/snortd script it runs it as:



/usr/sbin/snort -A fast -b -d -D -i eth0 -u snort -g snort -c /etc/snort/snort.conf -l /var/log/snort



and I never see those snort u2 files instead I see:





and barnyard2 seems to have an issue with reading those files.



If i manually run snort form (/usr/sbin/snort -c /etc/snort/snort.conf) without any options it then creates the right file type /var/log/snort/snort.u2.xxxxxxxx



It is almost like it is not reading /etc/snort/snort.conf?


If anyone has any ideas that would be great.








HPCC Systems Open Source Big Data Platform from LexisNexis Risk Solutions
Find What Matters Most in Your Big Data with HPCC Systems
Open Source. Fast. Scalable. Simple. Ideal for Dirty Data.
Leverages Graph Analysis for Fast Processing & Easy Data Exploration
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:

Please visit http://blog.snort.org to stay current on all the latest Snort news!



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20140611/7374e7fd/attachment.html>

More information about the Snort-users mailing list