Snort mailing list archives

Re: unified2 alert files with trailing period and no appended timestamp?

From: Mike Cox <mike.cox52 () gmail com>
Date: Fri, 17 Jan 2014 15:49:54 -0500

Unfortunately I cannot (NDA with client).  Other than what I've already
provided, I can say that the .unified2.alert.0 file appears to be the
correct unified2 file (and in the correct directory), it's just that
filename seems to be wack.

I've tried adding flags to the output line like these but I still get the
same results:


*output unified2: filename unified2.alert, nostamp*

*output unified2: filename unified2.alert, mpls_event_types*

Thanks.

-Mike Cox


On Fri, Jan 17, 2014 at 1:20 PM, Bhagya Bantwal <bbantwal () sourcefire com>wrote:

Hello Mike,

Can you send me your snort.conf, pcap and command line?

Thanks!

B


On Fri, Jan 17, 2014 at 9:04 AM, Mike Cox <mike.cox52 () gmail com> wrote:

I'm investigating a client's setup and they are running Snort 2.9.3.1.

The snort conf file has the following line:

*output unified2: filename unified2.alert*

Snort is being run with an explicit '-l' switch to set the log directory.

When I run a pcap thru the engine that generates an alert, the unified2
alert filename in the log directory looks like this (note the leading
period and lack of appended timestamp):

*.unified2.alert.0*

Is this a known bug with this version of Snort?  Any other reason why
this would be happening?

Thanks.

-Mike Cox


------------------------------------------------------------------------------
CenturyLink Cloud: The Leader in Enterprise Cloud Services.
Learn Why More Businesses Are Choosing CenturyLink Cloud For
Critical Workloads, Development Environments & Everything In Between.
Get a Quote or Start a Free Trial Today.

http://pubads.g.doubleclick.net/gampad/clk?id=119420431&iu=/4140/ostg.clktrk
_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel
Archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel

Please visit http://blog.snort.org for the latest news about Snort!

------------------------------------------------------------------------------
CenturyLink Cloud: The Leader in Enterprise Cloud Services.
Learn Why More Businesses Are Choosing CenturyLink Cloud For
Critical Workloads, Development Environments & Everything In Between.
Get a Quote or Start a Free Trial Today. 
http://pubads.g.doubleclick.net/gampad/clk?id=119420431&iu=/4140/ostg.clktrk

_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel
Archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel

Please visit http://blog.snort.org for the latest news about Snort!

Current thread:

unified2 alert files with trailing period and no appended timestamp? Mike Cox (Jan 17)
- Re: unified2 alert files with trailing period and no appended timestamp? Bhagya Bantwal (Jan 17)
  - Re: unified2 alert files with trailing period and no appended timestamp? Mike Cox (Jan 17)
    - Re: unified2 alert files with trailing period and no appended timestamp? Bhagya Bantwal (Jan 21)
    - Re: unified2 alert files with trailing period and no appended timestamp? Mike Cox (Jan 24)