Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Snort logs not being written.

From: Y M <snort () outlook com>
Date: Sun, 25 Nov 2012 21:53:04 +0300
This may sound naive, but can you verify:
1. If snort is actually seeing traffic and generating alerts based on the traffic (you can easily test with icmps once 
protocol-icmp rules are enabled) by suffixing your snort running command with -A console; this will generate the alerts 
to the console instead of writing them to a log.
2. Check snort.conf file and identify which plugin is used to write the logs as snort is the one that writes the logs, 
barnyard2 only parses them (unified2 format) if unified2 output plugin is used.

Did you compile snort from source? If so, which directory was configured to host the logs?

Please correct me if I misunderstood something.

Thanks.
YM
________________________________
From: GB
Sent: 11/25/2012 9:31 PM
To: 'Y M'
Subject: RE: [Snort-users] Snort logs not being written.

Thanks for the response YM,



I am not actually starting BY2 since it really isn’t being used or configured, just looking through its configs because 
that is determining where logs are used and being written.



Thanks,



From: Y M [mailto:snort () outlook com]
Sent: Sunday, November 25, 2012 10:08 AM
To: GB; snort-users () lists sourceforge net
Subject: RE: [Snort-users] Snort logs not being written.



A similar issue I had but may not be related was that snort is writing the unified2 logs to a different location from 
where barnyard2 was supposed to read the file; I was always reading an empty file.

What's the command you use to start barnyard2? I'm my case I use the -d switch to specify the unified2 file directory, 
-f to specify the file name that barnyard2 should look for (as specified in your snort.conf in barnyard2 output plugin 
section) and -w to specify the location of the waldo file, given that the barnyard2.conf has all the variables for 
sid-msg.map, gen-msg.map, reference, etc, file locations setup.

Hope this helps.
YM

  _____

From: GB
Sent: 11/25/2012 7:23 PM
To: snort-users () lists sourceforge net
Subject: [Snort-users] Snort logs not being written.

Logs of this issue but none matches my problem.



Before I got there the business was going to use Barnyard2 (I have familiar with BY1 but 2 is new to me…).



They decided they already had a collator do decided they didn’t need BY2 but discovered it had stopped writing logs 
post installation of BY2, sigh.



I can see the Snort engine start up, I can watch it checking its sensors and I even found a BY2.config that looked like 
the culprit but now it is just opening a log file with 0kb and nothing gets written to the file.



This is all running under Fedora.



I can’t find anything one backing out or deactivating BY2, so any help would be appreciated.



Thanks for your patience all!






------------------------------------------------------------------------------
Monitor your physical, virtual and cloud infrastructure from a single
web console. Get in-depth insight into apps, servers, databases, vmware,
SAP, cloud infrastructure, etc. Download 30-day Free Trial.
Pricing starts from $795 for 25 servers or applications!
http://p.sf.net/sfu/zoho_dev2dev_nov
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: