Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: @snort.u2 file size 0 bytes

From: Peter Bates <peter.bates () ucl ac uk>
Date: Thu, 5 Sep 2013 09:09:15 +0100
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Hello all

On 05/09/2013 07:47, anagha b wrote:

I checked my snort.u2 file size is 0 bytes.


Okay - Snort should be generating some logs, and BY2 is for
processing the logs that Snort produces.
For now I'd ignore BY2 if your snort.u2 file is 0 bytes.

Check Snort is configured to log to a unified2 file:

grep '^output' /path/to/snort.conf
output unified2: filename snort.log, limit 128

Run Snort in the foreground with

/path/to/snort -c /path/to/snort.conf -i ethX
where X is your 'sniffing' interface.

Generate some traffic.

Ctrl-C to end Snort.

Look to see if your .u2 file has been created and is not 0 bytes.

The default location for this is probably /var/log/snort but can
also be configured with 'logdir' in snort.conf.

If the .u2 file contains data, try running Snort as above again
to see if it makes a new file and also contains data.

You can use u2spewfoo to query the unified2 files.

When you're 100% sure that Snort is capturing traffic,
move onto BY2 and you can try running that in the foreground initially
as well.

/path/to/barnyard2 -c /path/to/barnyard2.conf -d /var/log/snort -w /var/log/snort/bylog.waldo -f snort.u2

- -- 
Peter Bates
Senior Information Security Officer   Phone: +44(0)2076792049
Information Services Division         Internal Ext: 32049
University College London
London WC1E 6BT
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (MingW32)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQEcBAEBAgAGBQJSKDwqAAoJELhVoVpEMS6R8dkH/1WJTKn838BCzu5z1D+RQTE2
dcLqlYgFIs2XY+LQYEkT85LGEEiB31z0cA1GPz43SzXIOgzI+/ZkF0YV2/qiGiUR
7UiHJVDwXgVVngcHpePU9rGTg5pYr3jiAgnxKE8nkUOuMLXQt8uX+kS5niucaSkJ
+AYPZ4joA6xcdxgXFauFG+eSFh4X1q5itYi3+iRdGmrog7wzSyzPubm+lLHRHCSW
erIXEzLCEUCVR7Iv23FL3RWJfZOh/5qZYgUj0gq652zUo17lsCqZReXgcbWki0nX
e8GFZWtYkMmTnliH7ZRim/X94G+WbgJ0f+qm5xqBcGfVvCofEnkVKhJNSUn9jy4=
=eSoX
-----END PGP SIGNATURE-----


------------------------------------------------------------------------------
Learn the latest--Visual Studio 2012, SharePoint 2013, SQL 2012, more!
Discover the easy way to master current and previous Microsoft technologies
and advance your career. Get an incredible 1,500+ hours of step-by-step
tutorial videos with LearnDevNow. Subscribe today and save!
http://pubads.g.doubleclick.net/gampad/clk?id=58041391&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: