Snort mailing list archives
Re: [SUSPECTED SPAM] snort3.0 doesn't log the triggering packet of an alert
From: "Al Lewis (allewi)" <allewi () cisco com>
Date: Thu, 5 Jan 2017 11:17:23 +0000
Hello Maxim, Please see the section under the snort3 manual for loggers: https://s3.amazonaws.com/snort-org-site/production/release_files/files/000/004/860/original/snort_manual.html?AWSAccessKeyId=AKIAIXACIED2SPMSC7GA&Expires=1483618124&Signature=4RZ4GTblHk9jmFlDhjHddxo%2BA28%3D#_logger_modules Its impossible to say what the issue is without a copy of your configuration. Attached is a basic config that should log any tcp packet. All I did was run it with this below: ./bin/snort -c etc/snort/maxim.lua -r /home/alewis/Downloads/CURL.pcap -l . And it produced log files as these (unified log is there): alewis@box3:/var/tmp/snort++$ ls alert_full.txt bin core etc include lib log_codecs.txt share unified2.log alewis@box3:/var/tmp/snort++$ Albert Lewis ENGINEER.SOFTWARE ENGINEERING SOURCEfire, Inc. now part of Cisco Email: allewi () cisco com<mailto:allewi () cisco com> From: Maxim <hittlle () 163 com<mailto:hittlle () 163 com>> Date: Thursday, January 5, 2017 at 3:19 AM To: 'snort-users' <snort-users () lists sourceforge net<mailto:snort-users () lists sourceforge net>> Subject: [SUSPECTED SPAM] [Snort-users] snort3.0 doesn't log the triggering packet of an alert Hi snort experts, I just tried snort 3.0, and found that it doesn't log the triggering packet of an alert if I use unified2 logger. Is it a bug or am I missing any required configurations? It's very different from snort 2.9.8.0. Many thanks.
Attachment:
maxim.lua
Description: maxim.lua
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- snort3.0 doesn't log the triggering packet of an alert Maxim (Jan 05)
- Re: [SUSPECTED SPAM] snort3.0 doesn't log the triggering packet of an alert Al Lewis (allewi) (Jan 05)