Snort mailing list archives
Re: Unified2 Output
From: Jim Campbell <jim () w4bqp net>
Date: Sun, 16 Jul 2017 14:24:10 -0400
Good suggestion, Marcin. My command line was a bit different than yours and it did produce a "unified2.log". Earlier output files produced a "unified2.log.nnnnnnnn" and this one didn't so I will have to see if I can find why.
~$sudo /opt/snort/bin/snort -c /opt/snort/etc/snort/snort_config -R /opt/snort/etc/snort/snort3.rules -i enp0s25 -A unified2
~$sudo /opt/snort/bin/u2spewfoo ./unified2.log (Event)sensor id: 0 event id: 1 event second: 1500228129 event microsecond: 176958
sig id: 12 gen id: 129 revision: 1 classification: 3priority: 2 ip source: 192.168.0.10 ip destination: 192.168.0.41 src port: 52915 dest port: 22 ip_proto: 6 impact_flag: 0 blocked: 0
mpls label: 0 vlan id: 0 policy id: 0 appid: Packet sensor id: 0 event id: 1 event second: 1500228129 packet second: 1500228129 packet microsecond: 176958 linktype: 1 packet_length: 94 [ 0] 00 23 AE 7F CC 12 20 1A 06 D6 4A 3A 08 00 45 00 .#.... ...J:..E. [ 16] 00 50 07 EA 40 00 80 06 71 3A C0 A8 00 0A C0 A8 .P..@...q:...... [ 32] 00 29 CE B3 00 16 BE FB A0 F8 04 A3 96 60 80 18 .)...........`.. [ 48] CF E6 C8 30 00 00 01 01 08 0A 0A 33 57 AE 02 38 ...0.......3W..8 [ 64] 61 4D 00 00 00 10 04 EB EB 37 7B F9 84 73 85 6C aM.......7{..s.l [ 80] 73 08 B1 A0 F9 1A 1F 1E 24 A6 06 67 EF D9 s.......$..g.. Jim On 7/16/2017 12:31 AM, Marcin Dulak wrote:
On Sun, Jul 16, 2017 at 5:20 AM, Jim Campbell <jim () w4bqp net <mailto:jim () w4bqp net>> wrote:Al, Thanks for the reply. I ran a Snort 2.9.9.0 installation for six to eight months in the IPS mode. In the last month or so it became increasingly flaky as in stopping alerting for hours at a time while still passing traffic. I decided to step up to Snort 3 so I am having to learn how it works. In retrospect I should have realized what you pointed out. I still have a lot to learn. when providing feedback please state the command that worked for you.People will be reading this thread in the future and will have to go through all the posts to build a context and make a guess what a solution was.Maybe the one below? Otherwise please correct. export LUA_PATH=/usr/include/snort/lua/?.lua export SNORT_LUA_PATH=/etc/snortsudo /usr/sbin/snort -l /var/log/snort -c /etc/snort/snort.lua -A unified2 -v --plugin-path /usr/lib64/snort_extra -R /etc/snort/rules/snort.rules -r test.pcapMarcin Thanks, Jim On 7/15/2017 10:25 PM, Al Lewis (allewi) wrote:Sorry if I am misunderstanding but are you trying to get alerts from this pcap? Based on the command you are just reading a pcap and then trying to write something to a file. Without an alert generated the unified file should be blank. You probably need to use a -c for a config file and using -l for the logging location. https://www.snort.org/faq/readme-unified2 <https://www.snort.org/faq/readme-unified2> Albert Lewis ENGINEER.SOFTWARE ENGINEERING SOURCEfire, Inc. now part of Cisco Email: allewi () cisco com <mailto:allewi () cisco com> On 7/15/17, 8:01 PM, "Snort-users on behalf of Jim Campbell" <snort-users-bounces () lists snort org on behalf of jim () w4bqp net> <mailto:snort-users-bounces@lists.snort.orgonbehalfofjim () w4bqp net> wrote:In my day-to-day use of Snort 3 I need for it to output its results in Unified2 format. Experimenting, I came upon something that isn't working for me. It may be a configuration issue that I don't yet understand. If I run "sudo /opt/snort/bin/snort -r ./pcaps/ie_aurora_WinXP_successfulExploitation.pcap -L dump" everything works OK. If I run "sudo /opt/snort/bin/snort -r ./pcaps/ie_aurora_WinXP_successfulExploitation.pcap -A unified2" it writes a "unified2.log.nnnnn" file in the default directory but the length is zero. What am I doing wrong / leaving out? Thanks, Jim-- "We are not human beings having a spiritual experience;we are spiritual beings having a human experience." ---Pierre Teilhard de Chardin _______________________________________________ Snort-users mailing list Snort-users () lists snort org <mailto:Snort-users () lists snort org> Go to this URL to change user options or unsubscribe: https://lists.snort.org/mailman/listinfo/snort-users <https://lists.snort.org/mailman/listinfo/snort-users> Please visit http://blog.snort.org to stay current on all the latest Snort news!-- "We are not human beings having a spiritual experience;we are spiritual beings having a human experience." ---Pierre Teilhard de Chardin _______________________________________________ Snort-users mailing list Snort-users () lists snort org <mailto:Snort-users () lists snort org> Go to this URL to change user options or unsubscribe: https://lists.snort.org/mailman/listinfo/snort-users <https://lists.snort.org/mailman/listinfo/snort-users> Please visit http://blog.snort.org to stay current on all the latest Snort news!
_______________________________________________ Snort-users mailing list Snort-users () lists snort org Go to this URL to change user options or unsubscribe: https://lists.snort.org/mailman/listinfo/snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Unified2 Output Jim Campbell (Jul 15)
- Re: Unified2 Output Al Lewis (allewi) via Snort-users (Jul 15)
- <Possible follow-ups>
- Re: Unified2 Output Jim Campbell (Jul 15)
- Re: Unified2 Output Marcin Dulak via Snort-users (Jul 15)
- Re: Unified2 Output Jim Campbell (Jul 16)
- Re: Unified2 Output Marcin Dulak via Snort-users (Jul 16)
- Re: Unified2 Output Marcin Dulak via Snort-users (Jul 15)