[Snort-users] Problem with unified2 files

joseph m jmdlinux at gmail.com
Fri May 18 00:30:06 EDT 2018


Hi ;

           I've run snort from the command line - like this - snort -vd  -i
em4 , this generated an error dpg len > captured len so I set the snaplen
to 65535 ( -p 65535) - that eliminated that issue. I am seeing data sent to
stdout just fine. Now when I add -c /etc/snort/snort.conf (where I am
specifying data to be outputted to the unified2 file within the config file
...nothing zero length unified2 files) ..I looked through the journal and
the last message I am seeing regarding snort is: 'Commencing Packet
Processing' . My guess is , and correct me if I am wrong ( and I very well
may be !! since I point to a config file and I am filtering out certain
IP's it can be possible that snort is simply not seeing anything to process
....I did comment out some of the IP's in the config file and I also
commented out the bpf_file (most of whats in their are network scanners
that we normally do not want snort to log),,,I thank you all for you time
...and appreciate any advice ...It is a learning experience indeed
..........Best to All...............Joseph M

On Wed, May 16, 2018 at 2:15 AM, Muhammad Zeeshan Bhatti <
zeeshan.bhatti at royalcyber.com> wrote:

> Thank you so much for providing the snort configuration document.
>
>
>
> *From:* Snort-users [mailto:snort-users-bounces at lists.snort.org] *On
> Behalf Of *joseph m via Snort-users
> *Sent:* Tuesday, May 15, 2018 9:10 AM
> *To:* wkitty42 at windstream.net
> *Cc:* snort-users at lists.snort.org
> *Subject:* Re: [Snort-users] Problem with unified2 files
>
>
>
> Hello;
>
>  I apologize for the delayed response. Here is what I
> have.................  I am attaching the snort.conf (pdf format) , snort
> is being called with the following:
>
> '/usr/bin/snort -d -D -i em4 -u snort -g snort -c /etc/snort/snort.conf -l
> /var/log/snort' The startup/shutdown scripts is the snortd script which
> resides in /etc/rc.d/init.d. The only difference is the way it calls the
> init scripts in systemd fashion as opposed to Sys V- calling the scripts
> with ExecStop and ExecStart. The /etc/sysconfig/snort which is 'included'
> within snortd sets the interface , specifies the path to the snort.conf,
> sets the uid & gid and a variety of other settings. I will attach that as
> well' Here is what I am seeing when I grep out snort from /var/log/messages
> (attached snippet), apparently something there but zero length unified2
> files ??. I believe I may have mentioned doing the snort -T giving it the
> em4 interface and that gave a successful configuration message.
> Thanks again I appreciate the response.............................Best
> Regards....Joseph M
>
>
>
> On Thu, May 10, 2018 at 11:32 PM, <wkitty42 at windstream.net> wrote:
>
> On 05/07/2018 10:57 PM, joseph m via Snort-users wrote:
>
> I have noticed that the unified2 files are zero length
>
>
>
> if those log files are zero length then at least one of several things is
> wrong...
>
>   1. your log config section in your conf file... please post it so we can
> see what you are trying to work with...
>
>   2. your command line may be overriding your conf file settings... please
> post it so we can see what you are trying to work with... IF your command
> is executing a script, please post or point us to that script so we can see
> what it is doing... some scripts force some options...
>
>   3. your snort may not be seeing any traffic... are you using "-k none"
> on your command line? give it a try and remember the script comment
> above... you can see if your snort is seeing any traffic by looking at the
> stats it logs when you shut it down... so find your snort log file... on
> linux, you would generally look in /var/log/messages and grep out the snort
> lines ("snort\[.*\]:")...
>
>
> we can start there and see what other's may offer...
>
> --
>  NOTE: No off-list assistance is given without prior approval.
>        *Please keep mailing list traffic on the list unless*
>        *a signed and pre-paid contract is in effect with us.*
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.snort.org
> Go to this URL to change user options or unsubscribe:
> https://lists.snort.org/mailman/listinfo/snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>
> Please follow these rules: https://snort.org/faq/what-is-
> the-mailing-list-etiquette
>
>
> Disclaimer: This message and any files transmitted with it are
> confidential and privileged. If you have received it in error, please
> notify the sender by return e-mail and delete this message from your
> system. If you are not the intended recipient you are hereby notified that
> any dissemination, copy or disclosure of this e-mail is strictly
> prohibited.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20180518/8f46c936/attachment.html>


More information about the Snort-users mailing list