Snort mailing list archives
Re: Lets talk about ....
From: AllowOverride <allowoverride () gmail com>
Date: Tue, 09 Oct 2012 08:56:56 -0700
sorry i forgot the cmds i used: /usr/local/bin/snort -c /etc/snort/etc/snort.conf -i eth0 & /usr/local/bin/barnyard2 -c /etc/snort/etc/barnyard2.conf -d /var/log/snort -f snort.log /var/log/snort# u2spewfoo snort.log.1349797570 |more (Event) sensor id: 0 event id: 1 event second: 1349797624 event mi crosecond: 522219 sig id: 10000001 gen id: 1 revision: 0 classification: 0 priority: 0 ip source: 192.168.1.35 ip destination: 192.168.1.14 src port: 8 dest port: 0 protocol: 1 impact_flag: 0 blocked: 0 Packet sensor id: 0 event id: 1 event second: 1349797624 packet second: 1349797624 packet microsecond: 522219 linktype: 1 packet_length: 98 [ 0] 00 1A 4D 63 44 CF 00 26 B9 11 24 32 08 00 45 00 ..McD..&..$2..E. [ 16] 00 54 00 00 40 00 40 01 B7 27 C0 A8 01 23 C0 A
--- Begin Message --- From: Peter Bates <peter.bates () ucl ac uk>
Date: Tue, 9 Oct 2012 09:10:54 +0100
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello all On 08/10/2012 23:28, AllowOverride wrote:next topic, revisited: u2spewfoo snort.log.1349734894 get_record: (2) Failed to read all of record data. Read 14476 of 33555456 bytes why? i run snort/barnyard2 this way: should i change? /usr/local/bin/snort -A fast -c /etc/snort/etc/snort.conf -i eth0 &I should have made it clearer in my previous email, but you should drop the -A fast. # snort -A fast -c /etc/snort/snort.conf -i eth1 <snip> Commencing packet processing (pid=7855) Decoding Ethernet # ls -hl total 12K - -rw-r--r-- 1 root snort 448 Oct 9 09:05 alert - -rw------- 1 snort snort 480 Oct 9 09:05 snort.log.1349769868 # file snort.log.1349769868 snort.log.1349769868: tcpdump capture file (little-endian) - version 2.4 (Ethernet, capture length 1514) Again, Snort is creating a pcap file and not a unified2 log. # snort -c /etc/snort/snort.conf -i eth1 <snip> Commencing packet processing (pid=7882) Decoding Ethernet # ls -hl total 8.0K - -rw------- 1 snort snort 1.2K Oct 9 09:07 snort.log.1349770017 # file snort.log.1349770017 snort.log.1349770017: data # u2spewfoo snort.log.1349770017 |grep sig sig id: 10000001 gen id: 1 revision: 0 classification: 0 Obviously when all is running fine you can daemonize with -D. Using & you're backgrounding any startup errors you might see. After this I suspect barnyard2 will work fine as it will have the unified2 input it is expecting. - -- Peter Bates Senior Information Security Officer Phone: +44(0)2076792049 Information Services Division Internal Ext: 32049 University College London London WC1E 6BT -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.17 (MingW32) Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ iQEcBAEBAgAGBQJQc9wOAAoJELhVoVpEMS6RjaQH/3da/us0zZr+Pvn5fqZRN8lX NVncLkQxX4KviNd/WgedSksIkNEtUCDROK6e5dWqHuX6mq2udEPTCmv0/nDOxY2a wePhaGsdkgPkNEdn3OWBUQzpuolOf/QYfqVM3WgyS/jMIbyNkLKK251Sln3epvwX 7MHTgNJTe02wsmLeteMbSAZPtkpMoQskqyhuBaI3ecAw5IuMDIjMWZIwXnlx+MZf dZ+qjVOsR5P7n53WBSji5IuHSALjWZv/M+i8DnkwMSXiIepeajnhMN20BxJilWQL 3g3dNn8XneM43sMsX6ZI5KLY9TDIzk5ZxrA6j9cJbYjmjPs6PV2GaE3X5lDrJIM= =ABRW -----END PGP SIGNATURE----- ------------------------------------------------------------------------------ Don't let slow site performance ruin your business. Deploy New Relic APM Deploy New Relic app performance management and know exactly what is happening inside your Ruby, Python, PHP, Java, and .NET app Try New Relic at no cost today and get our sweet Data Nerd shirt too! http://p.sf.net/sfu/newrelic-dev2dev _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
--- End Message ---
------------------------------------------------------------------------------ Don't let slow site performance ruin your business. Deploy New Relic APM Deploy New Relic app performance management and know exactly what is happening inside your Ruby, Python, PHP, Java, and .NET app Try New Relic at no cost today and get our sweet Data Nerd shirt too! http://p.sf.net/sfu/newrelic-dev2dev
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Re: Lets talk about ...., (continued)
- Re: Lets talk about .... AllowOverride (Oct 08)
- Re: Lets talk about .... Peter Bates (Oct 08)
- Re: Lets talk about .... AllowOverride (Oct 08)
- Re: Lets talk about .... Peter Bates (Oct 09)
- Re: Lets talk about .... AllowOverride (Oct 09)
- Re: Lets talk about .... Jeremy Hoel (Oct 09)
- Re: Lets talk about .... AllowOverride (Oct 09)
- Message not available
- Re: Lets talk about .... Peter Bates (Oct 09)
- Re: Lets talk about .... AllowOverride (Oct 09)
- Re: Lets talk about .... AllowOverride (Oct 09)
- Re: Lets talk about .... AllowOverride (Oct 09)
- Re: Lets talk about .... AllowOverride (Oct 09)
- Re: Lets talk about .... AllowOverride (Oct 08)
- Re: Lets talk about .... Peter Bates (Oct 07)
- Re: Lets talk about .... AllowOverride (Oct 07)