Snort mailing list archives
Re: Unified 2 not working. I need help.
From: Matthew White <on3moda () gmail com>
Date: Fri, 29 Jan 2016 11:35:00 -0600
Is there a debug to see where stuff is getting caught up? On Mon, Jan 25, 2016 at 10:21 AM, James Lay <jlay () slave-tothe-box net> wrote:
Try: output unified2: filename /(path)/external1.u2 James On 2016-01-25 08:52, Matthew White wrote: Ran /(path)/snort -D -q -i eth3 -F /(path)/internalbf.filter -c /(path)/snort.conf.internal as root but still the same. Also ran /(path)/snort -i eth3 -F /(path)/internalbf.filter -c /(path)/snort.conf.internal as root but still the same. Whats funny is that output alert_unified2: works fine. # unified2 # Recommended for most installs # output unified2: filename merged.log, limit 128, nostamp, mpls_event_types, vlan_event_types output unified2: filename /(path)/external1-snort.log, limit 128, vlan_event_types output alert_unified2: filename external1-snort.alert, limit 128 On Sat, Jan 23, 2016 at 5:13 AM, James Lay <jlay () slave-tothe-box net> wrote:At this point I would test as root...otherwise please post a sanitized version of your complete snort.conf. James On Fri, 2016-01-22 at 16:02 -0600, Matthew White wrote: Tried your steps and still no .u2 file. On Fri, Jan 22, 2016 at 2:59 PM, James Lay <jlay () slave-tothe-box net> wrote: Specify full path in your snort.conf: output unified2: filename /your/path/here/bleh.u2 for testing remove the -D and -q from your command line. James On 2016-01-22 13:50, Matthew White wrote: tried /usr/local/bin/snort -l /var/log/snort -D -q -i eth3 -F /etc/snort/internalbpf.filter -c /usr/src/snort-2.9.8.0/etc/snort.conf.internal -u snort still to no avail. On Fri, Jan 22, 2016 at 2:40 PM, Avery Rozar <avery.rozar () insecure-it com> wrote: Try adding "-l /var/log/snort" to step # 4. On Fri, Jan 22, 2016 at 3:33 PM, Matthew White <on3moda () gmail com> wrote: 1. The specified unified 2 log is not being created. 2. Instead I get the snort.log.date (tcpdump) default and alerts. 3. snort.conf - output unified2: filename internal.u2, limit 128, vlan_event_types 4. running snort with sudo /usr/local/bin/snort -D -q -i eth3 -F /etc/snort/internalbpf.filter -c /usr/src/snort-2.9.8.0/etc/snort.conf.internal -u snort 5. No errors or warnings when grep from /var/log/messages 6. Running RHEL 6 7. Installed and compiled from source 8. Snort has rwx for /var/log/snort 9. Deleted all logs 10. Since this was installed from a tarball no file /etc/sysconfig/snort exists. 11. tail -f alerts and snort.log are working great. 12. Manually made /etc/sysconfig/snort with the following with no success as well. # /etc/sysconfig/snort # $Id: #### General Configuration INTERFACE=eth2 CONF=/(Path to)/snort.conf USER=snort GROUP=snort PASS_FIRST=0 #### Logging & Alerting LOGDIR=/var/log/snort ALERTMODE=fast DUMP_APP=1 BINARY_LOG=1 NO_PACKET_LOG=0 PRINT_INTERFACE=0 ------------------------------------------------------------------------------ Site24x7 APM Insight: Get Deep Visibility into Application Performance APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month Monitor end-to-end web transactions and take corrective actions now Troubleshoot faster and improve end-user experience. Signup Now! http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news! ------------------------------------------------------------------------------ Site24x7 APM Insight: Get Deep Visibility into Application Performance APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month Monitor end-to-end web transactions and take corrective actions now Troubleshoot faster and improve end-user experience. Signup Now! http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news! ------------------------------------------------------------------------------ Site24x7 APM Insight: Get Deep Visibility into Application Performance APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month Monitor end-to-end web transactions and take corrective actions now Troubleshoot faster and improve end-user experience. Signup Now! http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news! ------------------------------------------------------------------------------ Site24x7 APM Insight: Get Deep Visibility into Application Performance APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month Monitor end-to-end web transactions and take corrective actions now Troubleshoot faster and improve end-user experience. Signup Now!http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140 _______________________________________________ Snort-users mailing listSnort-users () lists sourceforge net Go to this URL to change user options or unsubscribe:https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive:http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news! ------------------------------------------------------------------------------ Site24x7 APM Insight: Get Deep Visibility into Application Performance APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month Monitor end-to-end web transactions and take corrective actions now Troubleshoot faster and improve end-user experience. Signup Now! http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!------------------------------------------------------------------------------ Site24x7 APM Insight: Get Deep Visibility into Application Performance APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month Monitor end-to-end web transactions and take corrective actions now Troubleshoot faster and improve end-user experience. Signup Now! http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ Site24x7 APM Insight: Get Deep Visibility into Application Performance APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month Monitor end-to-end web transactions and take corrective actions now Troubleshoot faster and improve end-user experience. Signup Now! http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Re: Unified 2 not working. I need help., (continued)
- Re: Unified 2 not working. I need help. James Lay (Jan 22)
- Re: Unified 2 not working. I need help. Matthew White (Jan 22)
- Re: Unified 2 not working. I need help. James Lay (Jan 23)
- Re: Unified 2 not working. I need help. Matthew White (Jan 25)
- Re: Unified 2 not working. I need help. James Lay (Jan 25)
- Re: Unified 2 not working. I need help. Matthew White (Jan 27)
- Re: Unified 2 not working. I need help. James Lay (Jan 28)
- Re: Unified 2 not working. I need help. Matthew White (Jan 29)
- Re: Unified 2 not working. I need help. Matthew White (Jan 29)
- Re: Unified 2 not working. I need help. Matthew White (Feb 01)
- Re: Unified 2 not working. I need help. Matthew White (Jan 29)
- Re: Unified 2 not working. I need help. Matthew White (Jan 29)