[Snort-users] Problem with unified2 files

joseph m jmdlinux at gmail.com
Tue May 15 00:09:41 EDT 2018


Hello;
 I apologize for the delayed response. Here is what I
have.................  I am attaching the snort.conf (pdf format) , snort
is being called with the following:
'/usr/bin/snort -d -D -i em4 -u snort -g snort -c /etc/snort/snort.conf -l
/var/log/snort' The startup/shutdown scripts is the snortd script which
resides in /etc/rc.d/init.d. The only difference is the way it calls the
init scripts in systemd fashion as opposed to Sys V- calling the scripts
with ExecStop and ExecStart. The /etc/sysconfig/snort which is 'included'
within snortd sets the interface , specifies the path to the snort.conf,
sets the uid & gid and a variety of other settings. I will attach that as
well' Here is what I am seeing when I grep out snort from /var/log/messages
(attached snippet), apparently something there but zero length unified2
files ??. I believe I may have mentioned doing the snort -T giving it the
em4 interface and that gave a successful configuration message.
Thanks again I appreciate the response.............................Best
Regards....Joseph M

On Thu, May 10, 2018 at 11:32 PM, <wkitty42 at windstream.net> wrote:

> On 05/07/2018 10:57 PM, joseph m via Snort-users wrote:
>
>> I have noticed that the unified2 files are zero length
>>
>
>
> if those log files are zero length then at least one of several things is
> wrong...
>
>   1. your log config section in your conf file... please post it so we can
> see what you are trying to work with...
>
>   2. your command line may be overriding your conf file settings... please
> post it so we can see what you are trying to work with... IF your command
> is executing a script, please post or point us to that script so we can see
> what it is doing... some scripts force some options...
>
>   3. your snort may not be seeing any traffic... are you using "-k none"
> on your command line? give it a try and remember the script comment
> above... you can see if your snort is seeing any traffic by looking at the
> stats it logs when you shut it down... so find your snort log file... on
> linux, you would generally look in /var/log/messages and grep out the snort
> lines ("snort\[.*\]:")...
>
>
> we can start there and see what other's may offer...
>
> --
>  NOTE: No off-list assistance is given without prior approval.
>        *Please keep mailing list traffic on the list unless*
>        *a signed and pre-paid contract is in effect with us.*
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.snort.org
> Go to this URL to change user options or unsubscribe:
> https://lists.snort.org/mailman/listinfo/snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>
> Please follow these rules: https://snort.org/faq/what-is-
> the-mailing-list-etiquette
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20180515/d9ece63f/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: snort.conf.pdf
Type: application/pdf
Size: 33534 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20180515/d9ece63f/attachment.pdf>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: sysconf_snort.pdf
Type: application/pdf
Size: 13239 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20180515/d9ece63f/attachment-0001.pdf>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: snort1.PNG
Type: image/png
Size: 90771 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20180515/d9ece63f/attachment.png>


More information about the Snort-users mailing list