[Snort-users] Snort++ Build 239
rucombs at cisco.com
Wed Aug 9 17:36:34 EDT 2017
OK. We are going to make some changes to Snort++ to better support
barnyard2 at least temporarily but barnyard2 won't be able to support
Snort++ completely without changes.
Also, you may want to look into using snort -g -u (specifying group and
user) so that it doesn't have to run as root. It will still have to
start up as root to open your interfaces but after that it can drop
privileges which is more secure.
On 8/8/17 11:22 AM, Jim Campbell wrote:
> I believe that I have Snort++ outputting the unified2x log files.
> Following is the command line that I am using (I've moved the rules
> file specification into snort.lua.)
> sudo /opt/snort/bin/snort -Q -q -c /opt/snort/etc/snort/snort.lua
> --daq afpacket -i enp1s0:enp4s0 --plugin-path
> /opt/snort/lib/snort_extra -A unified2x
> This is the u2spewfoo output for one of the unified2x records:
> sensor id: 0 event id: 1 event second:
> 1502204570 event microsecond: 285494
> sig id: 15 gen id: 129 revision: 1 classification: 3
> priority: 2 ip source: 192.168.254.2 ip
> destination: 126.96.36.199
> src port: 53313 dest port: 443 ip_proto: 6 impact_flag: 0
> blocked: 0
> mpls label: 0 vlan id: 0 policy id: 0 appid:
> sensor id: 0 event id: 1 event second: 1502204570
> packet second: 1502204570 packet microsecond: 285494
> linktype: 1 packet_length: 60
> [ 0] 00 26 91 56 78 0B B0 7F B9 1A 2E FF 08 00 45 00 .&.Vx.........E.
> [ 16] 00 28 57 9E 40 00 3F 06 AB 00 C0 A8 FE 02 36 AE .(W. at .?.......6.
> [ 32] 43 D8 D0 41 01 BB 9D 2A 41 7A 00 00 00 00 50 04 C..A...*Az....P.
> [ 48] 00 00 C6 0D 00 00 00 00 00 00 00 00 ............
> I've got some tweaking to do. For example my unified2x file is in
> Thanks for your help.
> On 8/7/2017 12:06 PM, Russ wrote:
>> On 8/7/17 11:53 AM, Jim Campbell wrote:
>>> Now that I have a running (though back-level) IPS I'll play with
>>> getting the unified2x logger working. For clarification, does this
>>> mean that I can use Snort++ and the unified2x logger will output
>>> records understandable by Barnyard2?
>> Yes. You will get the same event types as 2X. The difference is
>> that Snort++ data buffers records will not be handled. I'm looking
>> into what can be done to just make that work until the tool chains
>> are updated. But this will get you back to where you were before the
>> new events were added.
More information about the Snort-users