Snort mailing list archives
Re: running snort
From: Balla István <balla.bmf () gmail com>
Date: Thu, 2 May 2013 00:18:52 +0200
actually i m running snort with: */usr/local/snort/bin/snort -Q -i eth2:eth1 -c /usr/local/snort/etc/snort.conf -D* it produced a log file into */var/log/snort* folder: snort.u2.123456789 i want to read(back) this file with: */usr/local/snort/bin/snort -r /var/log/snort/snort.u2.123456789 *in snort.conf the output is set:* output unified2: filename snort.u2, limit 128 * 2013/5/1 beenph <beenph () gmail com>
readback mode? Which software you want to use in "readback mode"? -elz On Wed, May 1, 2013 at 5:44 PM, Balla István <balla.bmf () gmail com> wrote:could you write how to use it in readback mode? thanks 2013/5/1 beenph <beenph () gmail com>On Wed, May 1, 2013 at 4:39 PM, Balla István <balla.bmf () gmail com>wrote:sorry. snort.u2 is the log output format (unified2) with the appended identifier: .1234557... but why is that snort cannot read it with ./snort -r ./log/snort.u2.12345678To read unified2 file you can use u2spewfoo (comes with snort source package) u2bloat (to extract packet from unified2 file, also comes with snort source package) snort unified perl (http://code.google.com/p/snort-unified-perl/) or barnyard2 (to process unified2 file to different output, www.github.com/firnsy/barnyard2) -elz
------------------------------------------------------------------------------ Introducing AppDynamics Lite, a free troubleshooting tool for Java/.NET Get 100% visibility into your production application - at no cost. Code-level diagnostics for performance bottlenecks with <2% overhead Download for free and get started troubleshooting in minutes. http://p.sf.net/sfu/appdyn_d2d_ap1
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- running snort Balla István (Apr 30)
- Re: running snort Joel Esler (Apr 30)
- Re: running snort Balla István (May 01)
- Re: running snort Balla István (May 01)
- Re: running snort beenph (May 01)
- Message not available
- Message not available
- Re: running snort Balla István (May 01)
- Re: running snort beenph (May 01)
- Re: running snort Balla István (May 01)
- Re: running snort Joel Esler (Apr 30)