Snort mailing list archives

Re: SOLVED: Trouble not getting unified2 files to write.

From: "Tony Reusser" <treusser () filertel com>
Date: Tue, 16 Oct 2012 09:03:10 -0600
I run mine on CentOS 6.3 and I installed from the source tarball.  I don't
have any such thing under /etc/sysconfig/snort.  It looks like the rpm
installer and/or redhat imposed some additional stuff that is causing you
grief.  My advice, uninstall the rpm stuff and just get the latest source
tarball from snort.org and do the standard {tar/unzip/configure/make/make
install}.

I invoke my snort instances with nothing but a -dD flag.  (-d) to dump the
application layer and (-D) to run in daemon mode.  Then I just have that
command in my /etc/rc.local for automatic startup at boot.  I don't worry
about any fancy/schmancy startup scripts or services.  I need two instances
of snort for my two interfaces anyway.  Each one has its own distinct .conf
file too.  Each one has a single output line that creates a single unified2
file with [interface].u2.[timestamp] for a file name that barnyard reads for
the database.  In my BASE GUI, I have all alerts and packet captures at the
click of a button.  It works really well.  On my busiest interface I get
maybe a .01% packet loss.  That is acceptable to me.

Try the manual install/setup and I bet all your headaches will go away.

Just my 2 cents.

        -tkr


-----Original Message-----
From: Thomison, Lee [mailto:ThomisonL () muni org] 
Sent: Monday, October 15, 2012 6:10 PM
To: 'snort-users () lists sourceforge net'
Subject: [Snort-users] SOLVED: Trouble not getting unified2 files to write.

Apparently, the -b (log packets in tcpdump style format) (in Redhat
sysconfig/snort it's BINARY_LOG) blocks unified2 output statements that
appear in /etc/snort/snort.conf

So, I had two problems:

1.  redhat was asserting the -b flag in the command line output from
/etc/init.d/snortd, and

2.  redhat was actually including the -A flag in the command line output.

Here is my existing /etc/sysconfig/snort, modified from the one included
with the src.rpm file.



# /etc/sysconfig/snort

# $Id$



# All of these options with the exception of -c, which tells Snort where

# the configuration file is, may be specified in that configuration file as

# well as the command line. Both the command line and config file options

# are listed here for reference.





#### General Configuration



# What interface should snort listen on?  [Pick only 1 of the next 3!]

# This is -i {interface} on the command line

# This is the snort.conf config interface: {interface} directive

INTERFACE=eth4

#

# The following two options are not directly supported on the command line

# or in the conf file and assume the same Snort configuration for all

# instances

#

# To listen on all interfaces use this:

#INTERFACE=ALL

#

# To listen only on given interfaces use this:

#INTERFACE="eth1 eth2 eth3 eth4 eth5"





# Where is Snort's configuration file?

# -c {/path/to/snort.conf}

CONF=/etc/snort/snort.conf



# What user and group should Snort drop to after starting? This user and

# group should have very few privileges.

# -u {user} -g {group}

# config set_uid: user

# config set_gid: group

USER=snort

GROUP=snort



# Should Snort change the order in which the rules are applied to packets.

# Instead of being applied in the standard Alert->Pass->Log order, this will

# apply them in Pass->Alert->Log order.

# -o

# config order: {actions in order}

# e.g. config order: log alert pass activation dynamic suspicious redalert

PASS_FIRST=0





#### Logging & Alerting



# NOTE: NO_PACKET_LOG and BINARY_LOG, ALERTMODE, etc. are mutually

# exclusive. Use either NO_PACKET_LOG or any/all of the other logging

# options. But the more logging options use you, the slower Snort will run.





# Where should Snort log?

# -l {/path/to/logdir}

# config logdir: {/path/to/logdir}

LOGDIR=/var/log/snort



# How should Snort alert? Valid alert modes include fast, full, none, and

# unsock.  Fast writes alerts to the default "alert" file in a single-line,

# syslog style alert message.  Full writes the alert to the "alert" file

# with the full decoded header as well as the alert message.  None turns off

# alerting. Unsock is an experimental mode that sends the alert information

# out over a UNIX socket to another process that attaches to that socket.

# -A {alert-mode}

# output alert_{type}: {options}

ALERTMODE=



# Should Snort dump the application layer data when displaying packets in

# verbose or packet logging mode.

# -d

# config dump_payload

DUMP_APP=1



# Should Snort keep binary (AKA pcap, AKA tcpdump) logs also? This is

# recommended as it provides very useful information for investigations.

# -b

# output log_tcpdump: {log name}

BINARY_LOG=0



# Should Snort turn off packet logging?  The program still generates

# alerts normally.

# -N

# config nolog

NO_PACKET_LOG=0



# Print out the receiving interface name in alerts.

# -I

# config alert_with_interface_name

PRINT_INTERFACE=0



# When dumping the stats, what log file should we look in

SYSLOG=/var/log/messages



# When dumping the stats, how long to wait to make sure that syslog can

# flush data to disk

SECS=5



# To add a BPF filter to the command line uncomment the following variable

# syntax corresponds to tcpdump(8)

#BPF="not host 192.168.1.1"



# To use an external BPF filter file uncomment the following variable

# syntax corresponds to tcpdump(8)

# -F {/path/to/bpf_file}

# config bpf_file: /path/to/bpf_file

#BPFFILE=/etc/snort/bpf_file



----------------------------------------------------------------------------
--
Don't let slow site performance ruin your business. Deploy New Relic APM
Deploy New Relic app performance management and know exactly what is
happening inside your Ruby, Python, PHP, Java, and .NET app Try New Relic at
no cost today and get our sweet Data Nerd shirt too!
http://p.sf.net/sfu/newrelic-dev2dev
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort
news!


------------------------------------------------------------------------------
Don't let slow site performance ruin your business. Deploy New Relic APM
Deploy New Relic app performance management and know exactly
what is happening inside your Ruby, Python, PHP, Java, and .NET app
Try New Relic at no cost today and get our sweet Data Nerd shirt too!
http://p.sf.net/sfu/newrelic-dev2dev
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:

Trouble not getting unified2 files to write. Thomison, Lee (Oct 15)
- Re: Trouble not getting unified2 files to write. Tony Reusser (Oct 15)
- <Possible follow-ups>
- Re: Trouble not getting unified2 files to write. MLP SCADA (Oct 15)
  - SOLVED: Trouble not getting unified2 files to write. Thomison, Lee (Oct 16)
    - Re: SOLVED: Trouble not getting unified2 files to write. Tony Reusser (Oct 16)
    - Re: SOLVED: Trouble not getting unified2 files to write. Jeremy Hoel (Oct 16)