[Snort-users] Snort++ Build 239

Jim Campbell jim at w4bqp.net
Tue Aug 8 11:22:14 EDT 2017


Russ,

I believe that I have Snort++ outputting the unified2x log files. 
Following is the command line that I am using (I've moved the rules file 
specification into snort.lua.)

sudo /opt/snort/bin/snort -Q -q -c /opt/snort/etc/snort/snort.lua --daq 
afpacket -i enp1s0:enp4s0 --plugin-path /opt/snort/lib/snort_extra -A 
unified2x

This is the u2spewfoo output for one of the unified2x records:

(Event)
         sensor id: 0    event id: 1     event second: 1502204570        
event microsecond: 285494
         sig id: 15      gen id: 129     revision: 1 classification: 3
         priority: 2     ip source: 192.168.254.2        ip destination: 
54.174.67.216
         src port: 53313 dest port: 443  ip_proto: 6     impact_flag: 0  
blocked: 0
         mpls label: 0   vlan id: 0      policy id: 0    appid:

Packet
         sensor id: 0    event id: 1     event second: 1502204570
         packet second: 1502204570       packet microsecond: 285494
         linktype: 1     packet_length: 60
[    0] 00 26 91 56 78 0B B0 7F B9 1A 2E FF 08 00 45 00 .&.Vx.........E.
[   16] 00 28 57 9E 40 00 3F 06 AB 00 C0 A8 FE 02 36 AE .(W. at .?.......6.
[   32] 43 D8 D0 41 01 BB 9D 2A 41 7A 00 00 00 00 50 04 C..A...*Az....P.
[   48] 00 00 C6 0D 00 00 00 00 00 00 00 00 ............

I've got some tweaking to do. For example my unified2x file is in /home/jim.

Thanks for your help.

Jim

On 8/7/2017 12:06 PM, Russ wrote:
>
>
> On 8/7/17 11:53 AM, Jim Campbell wrote:
>> Now that I have a running (though back-level) IPS I'll play with 
>> getting the unified2x logger working. For clarification, does this 
>> mean that I can use Snort++ and the unified2x logger will output 
>> records understandable by Barnyard2?
> Yes.  You will get the same event types as 2X.  The difference is that 
> Snort++ data buffers records will not be handled.  I'm looking into 
> what can be done to just make that work until the tool chains are 
> updated.  But this will get you back to where you were before the new 
> events were added.
>>




More information about the Snort-users mailing list