[Snort-users] Snort read file to generate u2 logs.

Al Lewis (allewi) allewi at ...589...
Wed Feb 22 06:28:24 EST 2017


Yes. The place where the inspected traffic comes from (network interface or file) shouldn’t matter.

Does the file/pcap traffic have bad checksums? If so add “-k none” to snort when you start it.



Albert Lewis
ENGINEER.SOFTWARE ENGINEERING
SOURCEfire, Inc. now part of Cisco
Email: allewi at ...589...<mailto:allewi at ...589...>

From: Paul Li <paul at ...17768...<mailto:paul at ...17768...>>
Date: Tuesday, February 21, 2017 at 11:05 PM
To: allewi <allewi at ...589...<mailto:allewi at ...589...>>
Cc: 'snort-users' <snort-users at lists.sourceforge.net<mailto:snort-users at lists.sourceforge.net>>
Subject: Re: [Snort-users] Snort read file to generate u2 logs.

(Sorry the previous email was broke. )

Al, do you indicate that Snort should generate .u2 files when it reads from a file?

Thanks,
Paul

On Tue, Feb 21, 2017 at 11:04 PM, Paul Li <paul at ...17768...<mailto:paul at ...17768...>> wrote:
Yes, Al, there's .log file generated in the directory /var/log/snort. also, the same user can generate .u2 log when snort reads directly from the network interface.

So do you indicate that

On Tue, Feb 21, 2017 at 10:57 PM, Al Lewis (allewi) <allewi at ...589...<mailto:allewi at ...589...>> wrote:
Have you checked if the snort user has permissions to write to the output directory?

Are the logs created when you run snort as root?

Albert Lewis
ENGINEER.SOFTWARE ENGINEERING
SOURCEfire, Inc. now part of Cisco
Email: allewi at ...589...<mailto:allewi at ...589...>

From: Paul Li <paul at ...17768...<mailto:paul at ...17768...>>
Date: Tuesday, February 21, 2017 at 10:17 PM
To: 'snort-users' <snort-users at lists.sourceforge.net<mailto:snort-users at lists.sourceforge.net>>
Subject: [Snort-users] Snort read file to generate u2 logs.

I'm using Snort read a file to generate alerts with the following command:

sudo snort -q -u snort-user -g snort-group -c /etc/snort/snort.conf -r file-name

Snort can generate alerts but doesn't create u2 log files, neither other output (e.g., csv) , although the same snort.conf file will generate both alerts and .u2 files.) Wondering if there's a way Snort can generate specified format logs when reading a file.

Thanks,
Paul


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20170222/b6fa4f0a/attachment.html>


More information about the Snort-users mailing list