Snort mailing list archives
Re: WARNING: Can't extract timestamp extension from 'snort.unified2 limit 128.1373443078'using base 'snort.unified2'
From: Kaushal Shriyan <kaushalshriyan () gmail com>
Date: Thu, 11 Jul 2013 17:05:54 +0530
On Thu, Jul 11, 2013 at 4:54 PM, Kaushal Shriyan <kaushalshriyan () gmail com>wrote:
Hi, I am running snort version 2.9.5 and barnyard2 version 2.1.13 on CentOS 6.4. Below are the details of the snort and barnyard2 versions running on the box. *# /usr/sbin/snort --version* ,,_ -*> Snort! <*- o" )~ Version 2.9.5 GRE (Build 103) '''' By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-team Copyright (C) 1998-2013 Sourcefire, Inc., et al. Using libpcap version 1.0.0 Using PCRE version: 7.8 2008-09-05 Using ZLIB version: 1.2.3 *# /usr/bin/barnyard2 --version* ______ -*> Barnyard2 <*- / ,,_ \ Version 2.1.13 (Build 327) |o" )~| By Ian Firns (SecurixLive): http://www.securixlive.com/ + '''' + (C) Copyright 2008-2013 Ian Firns <firnsy () securixlive com> # I am getting lot of messages in messages file "WARNING: Can't extract timestamp extension from 'snort.unified2 limit 128.1373443078'using base 'snort.unified2'" Jul 11 16:49:21 snort snort[17849]: WARNING: Can't extract timestamp extension from 'snort.unified2 limit 128.1373443078'using base 'snort.unified2' Jul 11 16:49:21 snort snort[17849]: WARNING: Can't extract timestamp extension from 'snort.unified2 limit 128.1373492825'using base 'snort.unified2' Jul 11 16:49:22 snort snort[17849]: WARNING: Can't extract timestamp extension from 'snort.unified2 limit 128.1373443078'using base 'snort.unified2' Jul 11 16:49:22 snort snort[17849]: WARNING: Can't extract timestamp extension from 'snort.unified2 limit 128.1373492825'using base 'snort.unified2' Jul 11 16:49:23 snort snort[17849]: WARNING: Can't extract timestamp extension from 'snort.unified2 limit 128.1373443078'using base 'snort.unified2' Jul 11 16:49:23 snort snort[17849]: WARNING: Can't extract timestamp extension from 'snort.unified2 limit 128.1373492825'using base 'snort.unified2' Jul 11 16:49:24 snort snort[17849]: WARNING: Can't extract timestamp extension from 'snort.unified2 limit 128.1373443078'using base 'snort.unified2' Jul 11 16:49:24 snort snort[17849]: WARNING: Can't extract timestamp extension from 'snort.unified2 limit 128.1373492825'using base 'snort.unified2' Jul 11 16:49:25 snort snort[17849]: WARNING: Can't extract timestamp extension from 'snort.unified2 limit 128.1373443078'using base 'snort.unified2' Jul 11 16:49:25 snort snort[17849]: WARNING: Can't extract timestamp extension from 'snort.unified2 limit 128.1373492825'using base 'snort.unified2' Jul 11 16:49:26 snort snort[17849]: WARNING: Can't extract timestamp extension from 'snort.unified2 limit 128.1373443078'using base 'snort.unified2' Jul 11 16:49:26 snort snort[17849]: WARNING: Can't extract timestamp extension from 'snort.unified2 limit 128.1373492825'using base 'snort.unified2 Any clue? Please let me know if anyone needs snort IDS and barnyard2 configuration files. Regards, Kaushal
Hi Again,
Subsequent to the earlier email, Please find below further details :-
# ps aux | grep snort
snort 11861 0.1 0.7 405964 256444 ? SNsl 03:17 1:21
/usr/sbin/snort -d -D -i em3 -u snort -g snort -c /etc/snort/snort.conf -l
/var/log/snort/em3
snort 11867 0.0 0.2 404512 74084 ? SNsl 03:17 0:01
/usr/sbin/snort -d -D -i em4 -u snort -g snort -c /etc/snort/snort.conf -l
/var/log/snort/em4
root 17849 0.0 0.0 141464 8352 ? Ss 12:09 0:01 barnyard2
-D -c /etc/snort/barnyard2.conf -d /var/log/snort/em3 -w
/var/log/snort/em3/barnyard2.waldo -l /var/log/snort/em3 -a
/var/log/snort/em3/archive -f snort.unified2 -X
/var/lock/subsys/barnyard2-em3.pid
root 18459 0.0 0.0 103236 876 pts/0 S+ 17:00 0:00 grep snort
[root@snort ~]# ps aux | grep barnyard
root 17849 0.0 0.0 141464 8352 ? Ss 12:09 0:01 barnyard2
-D -c /etc/snort/barnyard2.conf -d /var/log/snort/em3 -w
/var/log/snort/em3/barnyard2.waldo -l /var/log/snort/em3 -a
/var/log/snort/em3/archive -f snort.unified2 -X
/var/lock/subsys/barnyard2-em3.pid
root 18461 0.0 0.0 103236 880 pts/0 S+ 17:00 0:00 grep
barnyard
# /sbin/ifconfig em3
em3 Link encap:Ethernet HWaddr E0:DB:55:05:D0:0E
inet6 addr: fe80::e2db:55ff:fe05:d00e/64 Scope:Link
UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1
RX packets:50122055 errors:0 dropped:0 overruns:0 frame:0
TX packets:6 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:22401829151 (20.8 GiB) TX bytes:492 (492.0 b)
Interrupt:34
# /sbin/ifconfig em4
em4 Link encap:Ethernet HWaddr E0:DB:55:05:D0:0F
inet6 addr: fe80::e2db:55ff:fe05:d00f/64 Scope:Link
UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1
RX packets:16 errors:0 dropped:0 overruns:0 frame:0
TX packets:6 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:1084 (1.0 KiB) TX bytes:492 (492.0 b)
Interrupt:36
#
barnyard2 configuration file ->
http://paste.fedoraproject.org/24554/37354245
snort configuration file -> http://paste.fedoraproject.org/24555/42505137
Regards,
Kaushal
------------------------------------------------------------------------------ See everything from the browser to the database with AppDynamics Get end-to-end visibility with application monitoring from AppDynamics Isolate bottlenecks and diagnose root cause in seconds. Start your free trial of AppDynamics Pro today! http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- WARNING: Can't extract timestamp extension from 'snort.unified2 limit 128.1373443078'using base 'snort.unified2' Kaushal Shriyan (Jul 11)
- Re: WARNING: Can't extract timestamp extension from 'snort.unified2 limit 128.1373443078'using base 'snort.unified2' Kaushal Shriyan (Jul 11)