Snort mailing list archives
Re: Unified 2 not working. I need help.
From: James Lay <jlay () slave-tothe-box net>
Date: Sat, 23 Jan 2016 04:13:09 -0700
At this point I would test as root...otherwise please post a sanitized version of your complete snort.conf. James On Fri, 2016-01-22 at 16:02 -0600, Matthew White wrote:
Tried your steps and still no .u2 file.
On Fri, Jan 22, 2016 at 2:59 PM, James Lay <jlay () slave-tothe-box net>
wrote:
Specify full path in your snort.conf:
output unified2: filename /your/path/here/bleh.u2
for testing remove the -D and -q from your command line.
James
On 2016-01-22 13:50, Matthew White wrote:
> tried /usr/local/bin/snort -l /var/log/snort -D -q -i eth3
> -F /etc/snort/internalbpf.filter
> -c /usr/src/snort-2.9.8.0/etc/snort.conf.internal -u
> snort still to no avail.
>
>
> On Fri, Jan 22, 2016 at 2:40 PM, Avery Rozar
> <avery.rozar () insecure-it com> wrote:
>
> Try adding "-l /var/log/snort" to step # 4.
>
>
> On Fri, Jan 22, 2016 at 3:33 PM, Matthew White
> <on3moda () gmail com> wrote:
> 1. The specified unified 2 log is not being
> created.
> 2. Instead I get the snort.log.date
> (tcpdump) default and alerts.
> 3. snort.conf - output unified2: filename
> internal.u2, limit 128, vlan_event_types
> 4. running snort with
> sudo /usr/local/bin/snort -D -q -i eth3
> -F /etc/snort/internalbpf.filter
> -c /usr/src/snort-2.9.8.0/etc/snort.conf.internal -u snort
> 5. No errors or warnings when grep
> from /var/log/messages
> 6. Running RHEL 6
> 7. Installed and compiled from source
> 8. Snort has rwx for /var/log/snort
> 9. Deleted all logs
> 10. Since this was installed from a tarball
> no file /etc/sysconfig/snort exists.
> 11. tail -f alerts and snort.log are working
> great.
> 12. Manually made /etc/sysconfig/snort with
> the following with no success as well.
>
> # /etc/sysconfig/snort
> # $Id:
> #### General Configuration
> INTERFACE=eth2
> CONF=/(Path to)/snort.conf
> USER=snort
> GROUP=snort
> PASS_FIRST=0
> #### Logging & Alerting
> LOGDIR=/var/log/snort
> ALERTMODE=fast
> DUMP_APP=1
> BINARY_LOG=1
> NO_PACKET_LOG=0
> PRINT_INTERFACE=0
>
>
>
> ------------------------------------------------------------------------------
> Site24x7 APM Insight: Get Deep Visibility
> into Application Performance
> APM + Mobile APM + RUM: Monitor 3 App
> instances at just $35/Month
> Monitor end-to-end web transactions and take
> corrective actions now
> Troubleshoot faster and improve end-user
> experience. Signup Now!
> http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or
> unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay
> current on all the latest Snort news!
>
>
>
> ------------------------------------------------------------------------------
> Site24x7 APM Insight: Get Deep Visibility into Application
> Performance
> APM + Mobile APM + RUM: Monitor 3 App instances at just
> $35/Month
> Monitor end-to-end web transactions and take corrective
> actions now
> Troubleshoot faster and improve end-user experience. Signup
> Now!
> http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140
>
>
>
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all
> the latest Snort news!
------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application
Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just
$35/Month
Monitor end-to-end web transactions and take corrective
actions now
Troubleshoot faster and improve end-user experience. Signup
Now!
http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
Please visit http://blog.snort.org to stay current on all the
latest Snort news!
------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ Site24x7 APM Insight: Get Deep Visibility into Application Performance APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month Monitor end-to-end web transactions and take corrective actions now Troubleshoot faster and improve end-user experience. Signup Now! http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Unified 2 not working. I need help. Matthew White (Jan 22)
- Re: Unified 2 not working. I need help. Avery Rozar (Jan 22)
- Re: Unified 2 not working. I need help. Matthew White (Jan 22)
- Re: Unified 2 not working. I need help. James Lay (Jan 22)
- Re: Unified 2 not working. I need help. Matthew White (Jan 22)
- Re: Unified 2 not working. I need help. James Lay (Jan 23)
- Re: Unified 2 not working. I need help. Matthew White (Jan 25)
- Re: Unified 2 not working. I need help. James Lay (Jan 25)
- Re: Unified 2 not working. I need help. Matthew White (Jan 27)
- Re: Unified 2 not working. I need help. James Lay (Jan 28)
- Re: Unified 2 not working. I need help. Matthew White (Jan 29)
- Re: Unified 2 not working. I need help. Matthew White (Jan 29)
- Re: Unified 2 not working. I need help. Matthew White (Feb 01)
- Re: Unified 2 not working. I need help. Matthew White (Jan 22)
- Re: Unified 2 not working. I need help. Matthew White (Jan 29)
- Re: Unified 2 not working. I need help. Matthew White (Jan 29)
- Re: Unified 2 not working. I need help. Avery Rozar (Jan 22)