[Snort-users] Problem with unified2 files
jmdlinux at gmail.com
Fri May 18 00:30:06 EDT 2018
I've run snort from the command line - like this - snort -vd -i
em4 , this generated an error dpg len > captured len so I set the snaplen
to 65535 ( -p 65535) - that eliminated that issue. I am seeing data sent to
stdout just fine. Now when I add -c /etc/snort/snort.conf (where I am
specifying data to be outputted to the unified2 file within the config file
...nothing zero length unified2 files) ..I looked through the journal and
the last message I am seeing regarding snort is: 'Commencing Packet
Processing' . My guess is , and correct me if I am wrong ( and I very well
may be !! since I point to a config file and I am filtering out certain
IP's it can be possible that snort is simply not seeing anything to process
....I did comment out some of the IP's in the config file and I also
commented out the bpf_file (most of whats in their are network scanners
that we normally do not want snort to log),,,I thank you all for you time
...and appreciate any advice ...It is a learning experience indeed
..........Best to All...............Joseph M
On Wed, May 16, 2018 at 2:15 AM, Muhammad Zeeshan Bhatti <
zeeshan.bhatti at royalcyber.com> wrote:
> Thank you so much for providing the snort configuration document.
> *From:* Snort-users [mailto:snort-users-bounces at lists.snort.org] *On
> Behalf Of *joseph m via Snort-users
> *Sent:* Tuesday, May 15, 2018 9:10 AM
> *To:* wkitty42 at windstream.net
> *Cc:* snort-users at lists.snort.org
> *Subject:* Re: [Snort-users] Problem with unified2 files
> I apologize for the delayed response. Here is what I
> have................. I am attaching the snort.conf (pdf format) , snort
> is being called with the following:
> '/usr/bin/snort -d -D -i em4 -u snort -g snort -c /etc/snort/snort.conf -l
> /var/log/snort' The startup/shutdown scripts is the snortd script which
> resides in /etc/rc.d/init.d. The only difference is the way it calls the
> init scripts in systemd fashion as opposed to Sys V- calling the scripts
> with ExecStop and ExecStart. The /etc/sysconfig/snort which is 'included'
> within snortd sets the interface , specifies the path to the snort.conf,
> sets the uid & gid and a variety of other settings. I will attach that as
> well' Here is what I am seeing when I grep out snort from /var/log/messages
> (attached snippet), apparently something there but zero length unified2
> files ??. I believe I may have mentioned doing the snort -T giving it the
> em4 interface and that gave a successful configuration message.
> Thanks again I appreciate the response.............................Best
> Regards....Joseph M
> On Thu, May 10, 2018 at 11:32 PM, <wkitty42 at windstream.net> wrote:
> On 05/07/2018 10:57 PM, joseph m via Snort-users wrote:
> I have noticed that the unified2 files are zero length
> if those log files are zero length then at least one of several things is
> 1. your log config section in your conf file... please post it so we can
> see what you are trying to work with...
> 2. your command line may be overriding your conf file settings... please
> post it so we can see what you are trying to work with... IF your command
> is executing a script, please post or point us to that script so we can see
> what it is doing... some scripts force some options...
> 3. your snort may not be seeing any traffic... are you using "-k none"
> on your command line? give it a try and remember the script comment
> above... you can see if your snort is seeing any traffic by looking at the
> stats it logs when you shut it down... so find your snort log file... on
> linux, you would generally look in /var/log/messages and grep out the snort
> lines ("snort\[.*\]:")...
> we can start there and see what other's may offer...
> NOTE: No off-list assistance is given without prior approval.
> *Please keep mailing list traffic on the list unless*
> *a signed and pre-paid contract is in effect with us.*
> Snort-users mailing list
> Snort-users at lists.snort.org
> Go to this URL to change user options or unsubscribe:
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
> Please follow these rules: https://snort.org/faq/what-is-
> Disclaimer: This message and any files transmitted with it are
> confidential and privileged. If you have received it in error, please
> notify the sender by return e-mail and delete this message from your
> system. If you are not the intended recipient you are hereby notified that
> any dissemination, copy or disclosure of this e-mail is strictly
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-users