Snort mailing list archives

Not working unified2 module in snort++ (snort 3.0)

From: 박종일 <pji5732 () naver com>
Date: Thu, 15 Jan 2015 16:03:15 +0900 (KST)

I want to save the log file of snort 3.0 as unified2 file.
however, i be unable to do it
my case is create unified2 file
but, file is no contents
my setting (snort.lua)
-------------------------------------------------------------------------------------------------------------------------------------------------------
 Snort++ configuration---------------------------------------------------------------------------
----------------------------------------------------------------------------- setup 
environment----------------------------------------------------------------------------- given:-- export 
DIR=/install/path-- configure --prefix=$DIR-- make install---- then:-- export 
LUA_PATH=$DIR/include/snort/lua/?.lua\;\;-- export 
SNORT_LUA_PATH=$DIR/conf/---------------------------------------------------------------------------
----------------------------------------------------------------------------- setup the 
basics---------------------------------------------------------------------------
require('snort_config')  -- for loading
-- Setup the network addresses you are protectingHOME_NET = '192.168.223.0/24'
-- Set up the external network addresses.-- (leave as "any" in most situations)EXTERNAL_NET = not HOME_NET
conf_dir = os.getenv('SNORT_LUA_PATH')
if ( not conf_dir ) then    conf_dir = '.'end
dofile(conf_dir .. '/snort_defaults.lua')dofile(conf_dir .. '/classification.lua')dofile(conf_dir .. '/reference.lua')
----------------------------------------------------------------------------- configure 
modules------------------------------------------------------------------------------- mod = { } uses internal 
defaults-- you can see them with snort --help-module mod-- comment or delete to disable mod functionality---- you can 
also use default_ftp_server and 
default_wizard---------------------------------------------------------------------------
--pcap file--log_pcap = { }--log_pcap.limit = 0--log_pcap.units = B-- uncomment ppm if you built with --enable-ppmppm = 
{ }
-- uncomment profile if you built with --enable-perfprofile--profile = { }
-- uncomment normalizer if you are inline or not --pedantic--normalizer = { }
stream = { }stream_ip = { }stream_icmp = { }stream_tcp = { }stream_udp = { }
perf_monitor = { }--perf_monitor.console = true--perf_monitor.file = falseperf_monitor.seconds = 10perf_monitor.packets 
= 5

arp_spoof = { }back_orifice = { }rpc_decode = { }port_scan = { }telnet = { }
-- use http_inspect or new_http_inspect (incomplete)http_inspect = { }--new_http_inspect = { }
ftp_server = default_ftp_serverftp_client = { }ftp_data = { }
wizard = default_wizard

--unified2 &amp; outputalert_fast = { }alert_syslog = { }unified2 = { }unified2.nostamp = tureoutput = { }
--------------------------------------------------------------------------

and then,  i start it
command : snort -i env16777736  -c /usr/lib/etc/snort/snort.lua -K text 
however, file's contents is not
[root@localhost ~]# lltotal 39016drwxr-xr-x.  2 root root        27 Jan 11 23:57 a-rw-------.  1 root root       979 
Jan 11 19:02 anaconda-ks.cfg-rwxr--r--.  1 root root      1011 Jan 12 01:43 autoinstall.shdrwxr-xr-x. 11 root root      
4096 Jan 14 00:00 barnyard2drwxr-xr-x.  6 root root      4096 Jan 11 23:39 daq-2.0.4-rw-r--r--.  1 root root    495316 
Oct 23 12:57 daq-2.0.4.tar.gzdrwxr-xr-x.  9  501   501     4096 Jan 11 21:03 libdnet-1.12-rw-r--r--.  1 root root    
970125 Jan 20  2007 libdnet-1.12.tgz-rw-------.  1 root root     38654 Jan 14 12:09 log.pcapdrwxr-xr-x.  9  501 games   
  4096 Jan 14 07:45 snort-3.0.0-a1-rw-r--r--.  1 root root   2811656 Dec 10 07:44 
snort-3.0.0-a1-130-auto.tar.gzdrwxr-xr-x.  4  501 games     4096 Jan 14 07:30 snort_extra-1.0.0-a1-rw-r--r--.  1 root 
root    381847 Dec 16 12:55 snort_extra-1.0.0-a1-130-auto.tar.gz-rw-r--r--.  1 root root  35213966 Jan 13 13:59 
snortrules-2970.tar.gz-rw-------.  1 root root         0 Jan 14 12:41 unified2log.u2.1421257261-rw-------.  1 root root 
        0 Jan 14 12:43 unified2log.u2.1421257384-rw-------.  1 root root         0 Jan 14 12:45 
unified2log.u2.1421257511-rw-------.  1 root root         0 Jan 14 12:47 unified2log.u2.1421257621-rw-------.  1 root 
root         0 Jan 14 13:47 unified2log.u2.1421261256[root@localhost ~]# cat unified2log.u2.1421261256[root@localhost 
~]#


please help me....
블로그서명시작했다면 끝을 보아라
자기소개를 입력하세요.

------------------------------------------------------------------------------
New Year. New Location. New Benefits. New Data Center in Ashburn, VA.
GigeNET is offering a free month of service with a new server in Ashburn.
Choose from 2 high performing configs, both with 100TB of bandwidth.
Higher redundancy.Lower latency.Increased capacity.Completely compliant.
http://p.sf.net/sfu/gigenet

_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel
Archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel

Please visit http://blog.snort.org for the latest news about Snort!

Current thread:

Not working unified2 module in snort++ (snort 3.0) 박종일 (Jan 14)
- Re: Not working unified2 module in snort++ (snort 3.0) Russ Combs (rucombs) (Jan 15)