[Snort-users] Snort++ Build 239

Russ rucombs at cisco.com
Wed Aug 9 17:36:34 EDT 2017


OK.  We are going to make some changes to Snort++ to better support 
barnyard2 at least temporarily but barnyard2 won't be able to support 
Snort++ completely without changes.

Also, you may want to look into using snort -g -u (specifying group and 
user) so that it doesn't have to run as root.  It will still have to 
start up as root to open your interfaces but after that it can drop 
privileges which is more secure.

On 8/8/17 11:22 AM, Jim Campbell wrote:
> Russ,
>
> I believe that I have Snort++ outputting the unified2x log files. 
> Following is the command line that I am using (I've moved the rules 
> file specification into snort.lua.)
>
> sudo /opt/snort/bin/snort -Q -q -c /opt/snort/etc/snort/snort.lua 
> --daq afpacket -i enp1s0:enp4s0 --plugin-path 
> /opt/snort/lib/snort_extra -A unified2x
>
> This is the u2spewfoo output for one of the unified2x records:
>
> (Event)
>         sensor id: 0    event id: 1     event second: 
> 1502204570        event microsecond: 285494
>         sig id: 15      gen id: 129     revision: 1 classification: 3
>         priority: 2     ip source: 192.168.254.2        ip 
> destination: 54.174.67.216
>         src port: 53313 dest port: 443  ip_proto: 6 impact_flag: 0  
> blocked: 0
>         mpls label: 0   vlan id: 0      policy id: 0    appid:
>
> Packet
>         sensor id: 0    event id: 1     event second: 1502204570
>         packet second: 1502204570       packet microsecond: 285494
>         linktype: 1     packet_length: 60
> [    0] 00 26 91 56 78 0B B0 7F B9 1A 2E FF 08 00 45 00 .&.Vx.........E.
> [   16] 00 28 57 9E 40 00 3F 06 AB 00 C0 A8 FE 02 36 AE .(W. at .?.......6.
> [   32] 43 D8 D0 41 01 BB 9D 2A 41 7A 00 00 00 00 50 04 C..A...*Az....P.
> [   48] 00 00 C6 0D 00 00 00 00 00 00 00 00 ............
>
> I've got some tweaking to do. For example my unified2x file is in 
> /home/jim.
>
> Thanks for your help.
>
> Jim
>
> On 8/7/2017 12:06 PM, Russ wrote:
>>
>>
>> On 8/7/17 11:53 AM, Jim Campbell wrote:
>>> Now that I have a running (though back-level) IPS I'll play with 
>>> getting the unified2x logger working. For clarification, does this 
>>> mean that I can use Snort++ and the unified2x logger will output 
>>> records understandable by Barnyard2?
>> Yes.  You will get the same event types as 2X.  The difference is 
>> that Snort++ data buffers records will not be handled.  I'm looking 
>> into what can be done to just make that work until the tool chains 
>> are updated.  But this will get you back to where you were before the 
>> new events were added.
>>>
>




More information about the Snort-users mailing list