[Snort-users] [SUSPECTED SPAM] snort3.0 doesn't log the triggering packet of an alert

Al Lewis (allewi) allewi at ...589...
Thu Jan 5 06:17:23 EST 2017


Hello Maxim,

Please see the section under the snort3 manual for loggers:

https://s3.amazonaws.com/snort-org-site/production/release_files/files/000/004/860/original/snort_manual.html?AWSAccessKeyId=AKIAIXACIED2SPMSC7GA&Expires=1483618124&Signature=4RZ4GTblHk9jmFlDhjHddxo%2BA28%3D#_logger_modules


Its impossible to say what the issue is without a copy of your configuration.

Attached is a basic config that should log any tcp packet.

All I did was run it with this below:

./bin/snort -c etc/snort/maxim.lua -r /home/alewis/Downloads/CURL.pcap -l .


And it produced log files as these (unified log is there):


alewis at ...17722...:/var/tmp/snort++$ ls
alert_full.txt  bin  core  etc  include  lib  log_codecs.txt  share  unified2.log
alewis at ...17722...:/var/tmp/snort++$


Albert Lewis
ENGINEER.SOFTWARE ENGINEERING
SOURCEfire, Inc. now part of Cisco
Email: allewi at ...589...<mailto:allewi at ...589...>

From: Maxim <hittlle at ...7427...<mailto:hittlle at ...7427...>>
Date: Thursday, January 5, 2017 at 3:19 AM
To: 'snort-users' <snort-users at lists.sourceforge.net<mailto:snort-users at lists.sourceforge.net>>
Subject: [SUSPECTED SPAM] [Snort-users] snort3.0 doesn't log the triggering packet of an alert

Hi snort experts,
    I just tried snort 3.0, and found that it doesn't log the triggering packet of an alert if I use unified2 logger. Is it a bug or am I missing any required configurations? It's very different from snort 2.9.8.0. Many thanks.




-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20170105/7a8f6777/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: maxim.lua
Type: application/octet-stream
Size: 1209 bytes
Desc: maxim.lua
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20170105/7a8f6777/attachment.obj>


More information about the Snort-users mailing list