[Snort-users] Unified 2 not working. I need help.

Matthew White on3moda at ...11827...
Mon Feb 1 11:45:25 EST 2016


I am getting snort.log, alert, and unified2 alerts which replace the alert.
I am not getting just the plain .u2.

Anyone else have a take on this?

On Thu, Jan 28, 2016 at 8:07 AM, James Lay <jlay at ...13475...> wrote:

> At this time I will defer this to someone else on the list.
>
> James
>
>
> On Wed, 2016-01-27 at 15:00 -0600, Matthew White wrote:
>
> yes I tried that and still a no go.
>
>
> On Mon, Jan 25, 2016 at 10:21 AM, James Lay <jlay at ...13475...>
> wrote:
>
> Try:
>
> output unified2: filename /(path)/external1.u2
>
> James
>
> On 2016-01-25 08:52, Matthew White wrote:
>
> Ran /(path)/snort -D -q -i eth3 -F /(path)/internalbf.filter -c
> /(path)/snort.conf.internal as root but still the same.
>
> Also ran /(path)/snort -i eth3 -F /(path)/internalbf.filter -c
> /(path)/snort.conf.internal as root but still the same.
>
>
>
> Whats funny is that output alert_unified2: works fine.
>
>
>
>
> # unified2
> # Recommended for most installs
> # output unified2: filename merged.log, limit 128, nostamp,
> mpls_event_types, vlan_event_types
>
> output unified2: filename /(path)/external1-snort.log, limit 128,
> vlan_event_types
> output alert_unified2: filename external1-snort.alert, limit 128
>
>
> On Sat, Jan 23, 2016 at 5:13 AM, James Lay <jlay at ...13475...>
> wrote:
>
> At this point I would test as root...otherwise please post a sanitized
> version of your complete snort.conf.
>
> James
>
>
>
> On Fri, 2016-01-22 at 16:02 -0600, Matthew White wrote:
>
> Tried your steps and still no .u2 file.
> On Fri, Jan 22, 2016 at 2:59 PM, James Lay <jlay at ...13475...>
> wrote:
>
> Specify full path in your snort.conf:
>
> output unified2: filename /your/path/here/bleh.u2
>
> for testing remove the -D and -q from your command line.
>
> James
> On 2016-01-22 13:50, Matthew White wrote:
>
> tried /usr/local/bin/snort -l /var/log/snort -D -q -i eth3 -F
> /etc/snort/internalbpf.filter -c
> /usr/src/snort-2.9.8.0/etc/snort.conf.internal -u snort still to no avail.
> On Fri, Jan 22, 2016 at 2:40 PM, Avery Rozar <avery.rozar at ...17372...>
> wrote:
>
> Try adding "-l /var/log/snort" to step # 4.
> On Fri, Jan 22, 2016 at 3:33 PM, Matthew White <on3moda at ...11827...> wrote:
>
> 1. The specified unified 2 log is not being created.
> 2. Instead I get the snort.log.date (tcpdump) default and alerts.
> 3. snort.conf - output unified2: filename internal.u2, limit 128,
> vlan_event_types
> 4. running snort with sudo /usr/local/bin/snort -D -q -i eth3 -F
> /etc/snort/internalbpf.filter -c
> /usr/src/snort-2.9.8.0/etc/snort.conf.internal -u snort
> 5. No errors or warnings when grep from /var/log/messages
> 6. Running RHEL 6
> 7. Installed and compiled from source
> 8. Snort has rwx for /var/log/snort
> 9. Deleted all logs
> 10. Since this was installed from a tarball no file /etc/sysconfig/snort
> exists.
> 11. tail -f alerts and snort.log are working great.
> 12. Manually made /etc/sysconfig/snort with the following with no success
> as well.
>
> # /etc/sysconfig/snort
> # $Id:
> #### General Configuration
> INTERFACE=eth2
> CONF=/(Path to)/snort.conf
> USER=snort
> GROUP=snort
> PASS_FIRST=0
> #### Logging & Alerting
> LOGDIR=/var/log/snort
> ALERTMODE=fast
> DUMP_APP=1
> BINARY_LOG=1
> NO_PACKET_LOG=0
> PRINT_INTERFACE=0
>
>
> ------------------------------------------------------------------------------
> Site24x7 APM Insight: Get Deep Visibility into Application Performance
> APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
> Monitor end-to-end web transactions and take corrective actions now
> Troubleshoot faster and improve end-user experience. Signup Now!
> http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>
>
> ------------------------------------------------------------------------------
> Site24x7 APM Insight: Get Deep Visibility into Application Performance
> APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
> Monitor end-to-end web transactions and take corrective actions now
> Troubleshoot faster and improve end-user experience. Signup Now!
> http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>
>
>
>
>
>
> ------------------------------------------------------------------------------
> Site24x7 APM Insight: Get Deep Visibility into Application Performance
> APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
> Monitor end-to-end web transactions and take corrective actions now
> Troubleshoot faster and improve end-user experience. Signup Now!
> http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>
>
> ------------------------------------------------------------------------------
> Site24x7 APM Insight: Get Deep Visibility into Application Performance
> APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
> Monitor end-to-end web transactions and take corrective actions now
> Troubleshoot faster and improve end-user experience. Signup Now!http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140
> _______________________________________________
> Snort-users mailing listSnort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!
>
>
>
>
>
> ------------------------------------------------------------------------------
> Site24x7 APM Insight: Get Deep Visibility into Application Performance
> APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
> Monitor end-to-end web transactions and take corrective actions now
> Troubleshoot faster and improve end-user experience. Signup Now!
> http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>
>
>
>
>
>
>
>
> ------------------------------------------------------------------------------
> Site24x7 APM Insight: Get Deep Visibility into Application Performance
> APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
> Monitor end-to-end web transactions and take corrective actions now
> Troubleshoot faster and improve end-user experience. Signup Now!
> http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>
>
>
> ------------------------------------------------------------------------------
> Site24x7 APM Insight: Get Deep Visibility into Application Performance
> APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
> Monitor end-to-end web transactions and take corrective actions now
> Troubleshoot faster and improve end-user experience. Signup Now!http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140
> _______________________________________________
> Snort-users mailing listSnort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!
>
>
>
>
>
> ------------------------------------------------------------------------------
> Site24x7 APM Insight: Get Deep Visibility into Application Performance
> APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
> Monitor end-to-end web transactions and take corrective actions now
> Troubleshoot faster and improve end-user experience. Signup Now!
> http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20160201/537cd18c/attachment.html>


More information about the Snort-users mailing list