Re: unified2 logs are empty

[Nick Moore <nmoore () sourcefire com>]

KW,

A couple of things:

   - Portscans do not always yield events. It depends on your preprocessor
   config. A more reliable method of creating events in a lab or very small
   home network is to create a custom rule in local.rules like "alert tcp
   $HOME_NET any -> $EXTERNAL_NET 80 (msg: "someone surfed the web"; sid:
   1000001)". Be careful with that one: I use it for testing Snort at home and
   just clicking on a couple of web pages can generate hundreds of events. If
   you are in a network with more than one person, try something more limited,
   like replacing $HOME_NET with your workstation IP.
   - I'm assuming that your statement below is a typo: outout unified2:
   filename snort.u2, limit 128. It should and probably does read output, not
   outout. Snort would most likely have failed to start if outout was there,
   but please double check.
   - If these suggestions don't work for you, please include your
   snort.conf, barnyard2.conf and the command you use to start snort in your
   reply to the list. It really helps give a better idea of where to look for
   issues.

Thanks and happy snorting!

Nick

On Fri, Jul 9, 2010 at 12:58 AM, Kum Weng Luey <kumwengluey () gmail com>wrote:

> Hi all,
>
> I have configured and setup Snort-2.8.6 with barnyard2-1.8 and am facing
> problems with unified2 logs. The setup and installation of Snort and
> barnyard with mysql yield no errors.
>
> However nothing is being passed to the unified2 logs. I have done a
> portscan on the machine itself but the logs are still empty. What could be
> wrong ?
>
> Hopefully someone could help me with it.
>
> *snort.conf unified2 config*
>
> outout unified2: filename snort.u2, limit 128
>
>
>
> Regards,
> KW
>
>
> ------------------------------------------------------------------------------
> This SF.net email is sponsored by Sprint
> What will you do first with EVO, the first 4G phone?
> Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users



-- 
Nick Moore, SFCE, CISSP, CISA
Sr. Systems Engineer
Voice 708-336-9041
Email nick.moore () sourcefire com
IM    nickgmoore (Yahoo)
      nickgmoore38 (AIM)

   ,,_
  o"  )~   Sourcefire - The Creators of Snort
   ''''

www.sourcefire.com         www.snort.org

------------------------------------------------------------------------------
This SF.net email is sponsored by Sprint
What will you do first with EVO, the first 4G phone?
Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users