[Snort-users] Unified2 Output

Al Lewis (allewi) allewi at cisco.com
Sat Jul 15 22:25:35 EDT 2017



Sorry if I am misunderstanding but are you trying to get alerts from this pcap?

Based on the command you are just reading a pcap and then trying to write something to a file.

Without an alert generated the unified file should be blank.

You probably need to use a -c for a config file and using -l for the logging location.

https://www.snort.org/faq/readme-unified2



Albert Lewis
ENGINEER.SOFTWARE ENGINEERING
SOURCEfire, Inc. now part of Cisco
Email: allewi at cisco.com 








On 7/15/17, 8:01 PM, "Snort-users on behalf of Jim Campbell" <snort-users-bounces at lists.snort.org on behalf of jim at w4bqp.net> wrote:

>In my day-to-day use of Snort 3 I need for it to output its results in 
>Unified2 format. Experimenting, I came upon something that isn't working 
>for me. It may be a configuration issue that I don't yet understand.
>
>If I run "sudo /opt/snort/bin/snort -r 
>./pcaps/ie_aurora_WinXP_successfulExploitation.pcap  -L dump" everything 
>works OK.
>
>If I run "sudo /opt/snort/bin/snort -r 
>./pcaps/ie_aurora_WinXP_successfulExploitation.pcap  -A unified2" it 
>writes a "unified2.log.nnnnn" file in the default directory but the 
>length is zero.
>
>What am I doing wrong / leaving out?
>
>Thanks,
>
>Jim
>
>-- 
>"We are not human beings having a spiritual experience;
>we are spiritual beings having a human experience."
>---Pierre Teilhard de Chardin
>
>_______________________________________________
>Snort-users mailing list
>Snort-users at lists.snort.org
>Go to this URL to change user options or unsubscribe:
>https://lists.snort.org/mailman/listinfo/snort-users
>
>Please visit http://blog.snort.org to stay current on all the latest Snort news!


More information about the Snort-users mailing list