Snort mailing list archives
Re: unified2 alert files with trailing period and no appended timestamp?
From: Mike Cox <mike.cox52 () gmail com>
Date: Fri, 24 Jan 2014 09:30:50 -0500
Thanks Bhagaya,
I understand what you are saying but the 'nostamp' option wasn't present
when I experienced this issue. I added it for a test to see if the
filename ('.unified2.alert.0') would be different. It was not. The
configuration that is used when I experience this issue is still this:
*output unified2: filename unified2.alert*
Thanks.
-Mike Cox
On Tue, Jan 21, 2014 at 8:27 AM, Bhagya Bantwal <bbantwal () sourcefire com>wrote:
If you remove the nostamp config option, the timstamps will be appended to the filename. Thanks! On Fri, Jan 17, 2014 at 3:49 PM, Mike Cox <mike.cox52 () gmail com> wrote:Unfortunately I cannot (NDA with client). Other than what I've already provided, I can say that the .unified2.alert.0 file appears to be the correct unified2 file (and in the correct directory), it's just that filename seems to be wack. I've tried adding flags to the output line like these but I still get the same results: *output unified2: filename unified2.alert, nostamp* *output unified2: filename unified2.alert, mpls_event_types* Thanks. -Mike Cox On Fri, Jan 17, 2014 at 1:20 PM, Bhagya Bantwal <bbantwal () sourcefire com>wrote:Hello Mike, Can you send me your snort.conf, pcap and command line? Thanks! B On Fri, Jan 17, 2014 at 9:04 AM, Mike Cox <mike.cox52 () gmail com> wrote:I'm investigating a client's setup and they are running Snort 2.9.3.1. The snort conf file has the following line: *output unified2: filename unified2.alert* Snort is being run with an explicit '-l' switch to set the log directory. When I run a pcap thru the engine that generates an alert, the unified2 alert filename in the log directory looks like this (note the leading period and lack of appended timestamp): *.unified2.alert.0* Is this a known bug with this version of Snort? Any other reason why this would be happening? Thanks. -Mike Cox ------------------------------------------------------------------------------ CenturyLink Cloud: The Leader in Enterprise Cloud Services. Learn Why More Businesses Are Choosing CenturyLink Cloud For Critical Workloads, Development Environments & Everything In Between. Get a Quote or Start a Free Trial Today. http://pubads.g.doubleclick.net/gampad/clk?id=119420431&iu=/4140/ostg.clktrk _______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel Archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel Please visit http://blog.snort.org for the latest news about Snort!
------------------------------------------------------------------------------ CenturyLink Cloud: The Leader in Enterprise Cloud Services. Learn Why More Businesses Are Choosing CenturyLink Cloud For Critical Workloads, Development Environments & Everything In Between. Get a Quote or Start a Free Trial Today. http://pubads.g.doubleclick.net/gampad/clk?id=119420431&iu=/4140/ostg.clktrk
_______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel Archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- unified2 alert files with trailing period and no appended timestamp? Mike Cox (Jan 17)
- Re: unified2 alert files with trailing period and no appended timestamp? Bhagya Bantwal (Jan 17)
- Re: unified2 alert files with trailing period and no appended timestamp? Mike Cox (Jan 17)
- Re: unified2 alert files with trailing period and no appended timestamp? Bhagya Bantwal (Jan 21)
- Re: unified2 alert files with trailing period and no appended timestamp? Mike Cox (Jan 24)
- Re: unified2 alert files with trailing period and no appended timestamp? Mike Cox (Jan 17)
- Re: unified2 alert files with trailing period and no appended timestamp? Bhagya Bantwal (Jan 17)