[Snort-users] Snort++ Build 239

Russ rucombs at cisco.com
Mon Aug 7 12:06:13 EDT 2017



On 8/7/17 11:53 AM, Jim Campbell wrote:
> Now that I have a running (though back-level) IPS I'll play with 
> getting the unified2x logger working. For clarification, does this 
> mean that I can use Snort++ and the unified2x logger will output 
> records understandable by Barnyard2?
Yes.  You will get the same event types as 2X.  The difference is that 
Snort++ data buffers records will not be handled.  I'm looking into what 
can be done to just make that work until the tool chains are updated.  
But this will get you back to where you were before the new events were 
added.
>
> On 8/7/2017 11:40 AM, Russ wrote:
>> Glad you got something working, though it is a step backwards. 
>> Snort++ can do all that Snort 2.X can do and more, and with better 
>> performance.  The unified2x logger is there if you should decide to 
>> upgrade at some point.
>>
>> On 8/7/17 11:24 AM, Jim Campbell wrote:
>>> Russ,
>>>
>>> There is another way to "get me back to where I was." Since the 
>>> Snort group had the foresight to install Snort3 with an entirely 
>>> different directory path than Snort2, I installed the rest of Snort2 
>>> (some of it was already there) in the old path. I had to touch up 
>>> some of the config files but that allowed me to regress to Snort 
>>> 2.9.9.0 with little pain. I've had Snort2 humming along nicely for 
>>> the last several days. I'm using Barnyard2, Pulledpork, Apache2 and 
>>> BASE for the rest of my installation.
>>>
>>> Thanks for your help.
>>>
>>> Jim
>>>
>>> On 8/7/2017 9:18 AM, Russ wrote:
>>>> Not aware of any barnyard2 alternatives. Maybe Joel has some 
>>>> suggestions.
>>>>
>>>> Since I haven't heard anything from the barnyard2 groups, I've 
>>>> resurrected the old unified2 logger as unified2x in the extras. You 
>>>> will need to build and install the extras and use --plugin-path to 
>>>> point to the installed plugins and then add unified2x = { } (or 
>>>> however you configure it) to your snort.lua. The existing unified2 
>>>> logger will only generate newer events so you must use unified2x 
>>>> instead.  That should get you back to where you were.
>>>>
>>>>
>>>> On 7/31/17 10:08 AM, Jim Campbell wrote:
>>>>> I forgot to ask; Is there a viable alternative to Barnyard2? What 
>>>>> do you suggest?
>>>>>
>>>>> Jim
>>>>>
>>>>> On 7/31/2017 9:30 AM, Russ wrote:
>>>>>> Snort++ has new record types for u2 output and no longer outputs 
>>>>>> the legacy types.  I've contacted the barnyard2 folks to work 
>>>>>> with them on updates.
>>>>>>
>>>>>> How are you using barnyard2?  Are you feeding a database?
>>>>>>
>>>>>
>>>>
>>>>
>>>
>>
>>
>




More information about the Snort-users mailing list