[Snort-users] Unified 2 not working. I need help.

Matthew White on3moda at ...11827...
Fri Jan 22 15:50:58 EST 2016


tried /usr/local/bin/snort -l /var/log/snort -D -q -i eth3 -F
/etc/snort/internalbpf.filter -c
/usr/src/snort-2.9.8.0/etc/snort.conf.internal -u snort still to no avail.

On Fri, Jan 22, 2016 at 2:40 PM, Avery Rozar <avery.rozar at ...17372...>
wrote:

> Try adding "-l /var/log/snort" to step # 4.
>
> On Fri, Jan 22, 2016 at 3:33 PM, Matthew White <on3moda at ...11827...> wrote:
>
>> 1. The specified unified 2 log is not being created.
>> 2. Instead I get the snort.log.date (tcpdump) default and alerts.
>> 3. snort.conf - output unified2: filename internal.u2, limit 128,
>> vlan_event_types
>> 4. running snort with sudo /usr/local/bin/snort -D -q -i eth3 -F
>> /etc/snort/internalbpf.filter -c
>> /usr/src/snort-2.9.8.0/etc/snort.conf.internal -u snort
>> 5. No errors or warnings when grep from /var/log/messages
>> 6. Running RHEL 6
>> 7. Installed and compiled from source
>> 8. Snort has rwx for /var/log/snort
>> 9. Deleted all logs
>> 10. Since this was installed from a tarball no file /etc/sysconfig/snort
>> exists.
>> 11. tail -f alerts and snort.log are working great.
>> 12. Manually made /etc/sysconfig/snort with the following with no success
>> as well.
>>
>> # /etc/sysconfig/snort
>> # $Id:
>> #### General Configuration
>> INTERFACE=eth2
>> CONF=/(Path to)/snort.conf
>> USER=snort
>> GROUP=snort
>> PASS_FIRST=0
>> #### Logging & Alerting
>> LOGDIR=/var/log/snort
>> ALERTMODE=fast
>> DUMP_APP=1
>> BINARY_LOG=1
>> NO_PACKET_LOG=0
>> PRINT_INTERFACE=0
>>
>>
>> ------------------------------------------------------------------------------
>> Site24x7 APM Insight: Get Deep Visibility into Application Performance
>> APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
>> Monitor end-to-end web transactions and take corrective actions now
>> Troubleshoot faster and improve end-user experience. Signup Now!
>> http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>>
>> Please visit http://blog.snort.org to stay current on all the latest
>> Snort news!
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20160122/28c35bbf/attachment.html>


More information about the Snort-users mailing list