Re: Snort3 generating multiple alert files

[Russ <rucombs () cisco com>]

On 5/15/16 10:51 PM, João Soares wrote:
> Greetings,
>
> I'm trying to learn and adapt to snort3 and it's not being easy.
>
> I'm running snort3 with this command:
>
> snort -l /root/snort-logs -A full -i eth0 -c etc/snort/snort.lua -D -z 
> 0 -d -e -w -X -y
Some comments on your options:

-z 0 will only help when you have multiple input sources or many pcaps 
since, at present, load balancing must be done externally. Internal load 
balancing is coming up.

-w applies to wireless and likely doesn't actually go with your eth0 
interface (usually wired).  However, since you had that combination, I 
double checked and it appears that -w is no longer attached to any 
functionality and will likely be deleted.
> I have a two questions and I would really appreciate it if you guys 
> could help me out:
>
> *1 *- Why is snort3 making a new alert file each time the original 
> file reaches approximately 4kb? How can I change that?
Which options are giving you 4K logs?  -A full goes to console by default.
> *2* - How can I make snort3 log both alerts and pcaps of intrusions, I 
> can't get it to work, I have tried combining both -A and -L options 
> but I can only get one of them to be logged.
-A and -L are for two different run modes.  Use -A with -c to log 
intrusion events.  Use -L to just log all packets, that is, for sniffer 
mode.  When used together on the command line, the last one wins.

Since you want to log intrusion events, you need a logger that captures 
packets along with the events.  I'm guessing that you want a separate 
pcap but there is no way to do that at present.  You can use -A u2 
(short for -A unified2) and that will log the event followed by the 
triggering packet in the same file.  You can then use included u2boat 
utility to dump a pcap from the u2 log.
> I'm sorry if these are really obvious questions, but I've read the 
> manual and I can't seem to find the answers.
Did you look at the usage section?  There are several examples there.  
If anything there is unclear, let us know.  We will be adding more than 
just reference material soon.
> Best regards and thank you for your time!
>
> --
> João Soares
>
> SIC - Serviço de Informática e Comunicações
> https://helpdesk.dei.uc.pt
> Department of Informatics Engineering
> Faculty of Science and Technology
> University of Coimbra
>
>
> ------------------------------------------------------------------------------
> Mobile security can be enabling, not merely restricting. Employees who
> bring their own devices (BYOD) to work are irked by the imposition of MDM
> restrictions. Mobile Device Manager Plus allows you to control only the
> apps on BYO-devices by containerizing them, leaving personal data untouched!
> https://ad.doubleclick.net/ddm/clk/304595813;131938128;j
>
>
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!

------------------------------------------------------------------------------
Mobile security can be enabling, not merely restricting. Employees who
bring their own devices (BYOD) to work are irked by the imposition of MDM
restrictions. Mobile Device Manager Plus allows you to control only the
apps on BYO-devices by containerizing them, leaving personal data untouched!
https://ad.doubleclick.net/ddm/clk/304595813;131938128;j

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!