Unified2 questions

["Lay, James" <james.lay () wincofoods com>]

So yea.....I'm sure you all saw this coming ;)

 

Now that I have unified2 output, the long and short is:  what can I do
with it?  I don't want to run barnyard and pipe to a db...I just want to
see the packets command line.  My research/results so far:

 

Cerberus:  Old, slow, shareware

U2boat:  errors with no packets output:

[08:10:56:~/log$] u2boat snort-unified.1303847056 ~/test.pcap

Defaulting to pcap output.

Error: incomplete record. 662559 of 1073741824 bytes read.

[08:11:01:~/log$] ls -l ~/test.pcap

-rw------- 1  0 2011-04-27 08:11 //test.pcap

U2spewfoo: errors with no results:

                [08:15:06 :~/log$] u2spewfoo snort-unified.1303847056

get_record: (2) Failed to read all of record data.

Read 662559 of 1073741824 bytes

 

I looked at mudpit as well, but again, it seems to be just a data
spooler/redirector.  My process for handling snort alerts is:

                See the alert in the logs

                Do a whois on the remote IP

                tshark -X the current snort.pcap file matching the
remote IP to see the raw packet caught

 

How does unified2 output fit into this type of response?  Thanks for any
help all.

 

James

------------------------------------------------------------------------------
WhatsUp Gold - Download Free Network Management Software
The most intuitive, comprehensive, and cost-effective network 
management toolset available today.  Delivers lowest initial 
acquisition cost and overall TCO of any competing solution.
http://p.sf.net/sfu/whatsupgold-sd

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users