Re: Not working unified2 module in snort++ (snort 3.0)

["Russ Combs (rucombs)" <rucombs () cisco com>]

Look for ** comments below.

________________________________
From: 박종일 [pji5732 () naver com]
Sent: Thursday, January 15, 2015 2:03 AM
To: snort-devel () lists sourceforge net
Subject: [Snort-devel] Not working unified2 module in snort++ (snort 3.0)

I want to save the log file of snort 3.0 as unified2 file.

however, i be unable to do it

my case is create unified2 file

but, file is no contents

my setting (snort.lua)

--------------------------------------------------------------------------
---------------------------------------------------------------------------
-- Snort++ configuration
---------------------------------------------------------------------------

---------------------------------------------------------------------------
-- setup environment
---------------------------------------------------------------------------
-- given:
-- export DIR=/install/path
-- configure --prefix=$DIR
-- make install
--
-- then:
-- export LUA_PATH=$DIR/include/snort/lua/?.lua\;\;
-- export SNORT_LUA_PATH=$DIR/conf/
---------------------------------------------------------------------------

---------------------------------------------------------------------------
-- setup the basics
---------------------------------------------------------------------------

require('snort_config')  -- for loading

-- Setup the network addresses you are protecting
HOME_NET = '192.168.223.0/24'

-- Set up the external network addresses.
-- (leave as "any" in most situations)
EXTERNAL_NET = not HOME_NET

** The not HOME_NET syntax is valid Lua but results in a bool variable which won't work.  That negation needs to be 
done via string concatenation like this:

** EXTERNAL_NET = '!' .. HOME_NET

conf_dir = os.getenv('SNORT_LUA_PATH')

if ( not conf_dir ) then
    conf_dir = '.'
end

dofile(conf_dir .. '/snort_defaults.lua')
dofile(conf_dir .. '/classification.lua')
dofile(conf_dir .. '/reference.lua')

---------------------------------------------------------------------------
-- configure modules
---------------------------------------------------------------------------
--
-- mod = { } uses internal defaults
-- you can see them with snort --help-module mod
-- comment or delete to disable mod functionality
--
-- you can also use default_ftp_server and default_wizard
---------------------------------------------------------------------------

--pcap file
--log_pcap = { }
--log_pcap.limit = 0
--log_pcap.units = B
-- uncomment ppm if you built with --enable-ppm
ppm = { }

-- uncomment profile if you built with --enable-perfprofile
--profile = { }

-- uncomment normalizer if you are inline or not --pedantic
--normalizer = { }

stream = { }
stream_ip = { }
stream_icmp = { }
stream_tcp = { }
stream_udp = { }

perf_monitor = { }
--perf_monitor.console = true
--perf_monitor.file = false
perf_monitor.seconds = 10
perf_monitor.packets = 5


arp_spoof = { }
back_orifice = { }
rpc_decode = { }
port_scan = { }
telnet = { }

-- use http_inspect or new_http_inspect (incomplete)
http_inspect = { }
--new_http_inspect = { }

ftp_server = default_ftp_server
ftp_client = { }
ftp_data = { }

wizard = default_wizard


--unified2 & output
alert_fast = { }
alert_syslog = { }

** These will result in additional alert modes being activated.  This is supported, just an FYI.

unified2 = { }
unified2.nostamp = ture

** true should be true.  The typo results in an undefined variable which means nostamp is set to nil and this is 
unknown to Snort (a documented 'gotcha').  That's why you see timestamps below.

output = { }

** There are no rules defined so you won't get any alerts even with the above changes.  Check the ips module or use the 
-R option, etc.

--------------------------------------------------------------------------


and then,  i start it

command : snort -i env16777736  -c /usr/lib/etc/snort/snort.lua -K text

however, file's contents is not

[root@localhost ~]# ll
total 39016
drwxr-xr-x.  2 root root        27 Jan 11 23:57 a
-rw-------.  1 root root       979 Jan 11 19:02 anaconda-ks.cfg
-rwxr--r--.  1 root root      1011 Jan 12 01:43 autoinstall.sh
drwxr-xr-x. 11 root root      4096 Jan 14 00:00 barnyard2
drwxr-xr-x.  6 root root      4096 Jan 11 23:39 daq-2.0.4
-rw-r--r--.  1 root root    495316 Oct 23 12:57 daq-2.0.4.tar.gz
drwxr-xr-x.  9  501   501     4096 Jan 11 21:03 libdnet-1.12
-rw-r--r--.  1 root root    970125 Jan 20  2007 libdnet-1.12.tgz
-rw-------.  1 root root     38654 Jan 14 12:09 log.pcap
drwxr-xr-x.  9  501 games     4096 Jan 14 07:45 snort-3.0.0-a1
-rw-r--r--.  1 root root   2811656 Dec 10 07:44 snort-3.0.0-a1-130-auto.tar.gz
drwxr-xr-x.  4  501 games     4096 Jan 14 07:30 snort_extra-1.0.0-a1
-rw-r--r--.  1 root root    381847 Dec 16 12:55 snort_extra-1.0.0-a1-130-auto.tar.gz
-rw-r--r--.  1 root root  35213966 Jan 13 13:59 snortrules-2970.tar.gz
-rw-------.  1 root root         0 Jan 14 12:41 unified2log.u2.1421257261
-rw-------.  1 root root         0 Jan 14 12:43 unified2log.u2.1421257384
-rw-------.  1 root root         0 Jan 14 12:45 unified2log.u2.1421257511
-rw-------.  1 root root         0 Jan 14 12:47 unified2log.u2.1421257621
-rw-------.  1 root root         0 Jan 14 13:47 unified2log.u2.1421261256
[root@localhost ~]# cat unified2log.u2.1421261256
[root@localhost ~]#



please help me....

블로그서명

[블로그]<http://blog.naver.com/pji5732.do> 시작했다면 끝을 보아라<http://blog.naver.com/pji5732.do>
자기소개를 입력하세요.<http://blog.naver.com/pji5732.do>
[http://mail.naver.com/readReceipt/notify/?img=SlYqFqkG1NISa6i4hAnZKxJoKopoMxuXKxb9KxgqFruZFAvXF6MXazigMX%2B0Mour74lR74lcWNFlbX30WLloWrdQaXF5WXid7630%2B4kntzwGbX3q7NFT%2BBiop6pTb4%2B074l0%2Bg%3D%3D.gif]

------------------------------------------------------------------------------
New Year. New Location. New Benefits. New Data Center in Ashburn, VA.
GigeNET is offering a free month of service with a new server in Ashburn.
Choose from 2 high performing configs, both with 100TB of bandwidth.
Higher redundancy.Lower latency.Increased capacity.Completely compliant.
http://p.sf.net/sfu/gigenet

_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel
Archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel

Please visit http://blog.snort.org for the latest news about Snort!