Snort mailing list archives
Re: Unified2 Missing event record
From: Ron H via Snort-devel <snort-devel () lists snort org>
Date: Tue, 16 Jul 2019 20:03:26 +0300
Hi Albert, I running Snort as IDS in inline mode - Using Daq PFRING ZC mode. *Snort Command: * snort -c snort.conf --daq-dir /usr/local/lib/daq --daq-mode passive --daq pfring_zc -i zc:100@0 *Snort configuration:* My snort configuration download from snort.com website and compatible with my snort version (2.9.11.1) *Unified2 configuraton in snort.conf:* output unified2: filename /usr/local/app/snort/unified2/snort.unifed2, limit 100M I will check if issue happening on the most recent version of snort. Thanks, Ron. :) On Tue, Jul 16, 2019 at 7:50 PM Ron H <ronh.work () gmail com> wrote:
More details: Our application creates pcaps files from unified2 snort output. The application read unified2 records (Event record and Packet record) The issue is Snort writes unifed2 files frequently without event record (Only Packet record) This situation can be normal? Thanks, Ron :) On Tue, Jul 16, 2019 at 7:42 PM Ron H <ronh.work () gmail com> wrote:UP! :) Does someone know this issue? On Mon, Jul 8, 2019 at 7:31 PM Ron H <ronh.work () gmail com> wrote:Hey Snort devel, We have an issue with Snort Unified2 output. Snort write packet record without write event record. This issue happens frequently. out snort version is *2.9.11.1* Snort run on Ubuntu 16.04 Docker container We are would be grateful to any assistance. Thanks!
_______________________________________________ Snort-devel mailing list Snort-devel () lists snort org https://lists.snort.org/mailman/listinfo/snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Unified2 Missing event record Ron H via Snort-devel (Jul 08)
- Re: Unified2 Missing event record Ron H via Snort-devel (Jul 16)
- Re: Unified2 Missing event record Al Lewis (allewi) via Snort-devel (Jul 16)
- Re: Unified2 Missing event record Ron H via Snort-devel (Jul 16)
- Re: Unified2 Missing event record Ron H via Snort-devel (Jul 16)
- Re: Unified2 Missing event record Ron H via Snort-devel (Jul 16)
- Re: Unified2 Missing event record Ron H via Snort-devel (Jul 16)