Re: Unified 2 not working. I need help.

[Matthew White <on3moda () gmail com>]

Tried your steps and still no .u2 file.

On Fri, Jan 22, 2016 at 2:59 PM, James Lay <jlay () slave-tothe-box net> wrote:

> Specify full path in your snort.conf:
>
> output unified2: filename /your/path/here/bleh.u2
>
> for testing remove the -D and -q from your command line.
>
> James
>
> On 2016-01-22 13:50, Matthew White wrote:
>
> tried /usr/local/bin/snort -l /var/log/snort -D -q -i eth3 -F
> /etc/snort/internalbpf.filter -c
> /usr/src/snort-2.9.8.0/etc/snort.conf.internal -u snort still to no avail.
>
> On Fri, Jan 22, 2016 at 2:40 PM, Avery Rozar <avery.rozar () insecure-it com>
> wrote:
>
> > Try adding "-l /var/log/snort" to step # 4.
> >
> > On Fri, Jan 22, 2016 at 3:33 PM, Matthew White <on3moda () gmail com> wrote:
> >
> > > 1. The specified unified 2 log is not being created.
> > > 2. Instead I get the snort.log.date (tcpdump) default and alerts.
> > > 3. snort.conf - output unified2: filename internal.u2, limit 128,
> > > vlan_event_types
> > > 4. running snort with sudo /usr/local/bin/snort -D -q -i eth3 -F
> > > /etc/snort/internalbpf.filter -c
> > > /usr/src/snort-2.9.8.0/etc/snort.conf.internal -u snort
> > > 5. No errors or warnings when grep from /var/log/messages
> > > 6. Running RHEL 6
> > > 7. Installed and compiled from source
> > > 8. Snort has rwx for /var/log/snort
> > > 9. Deleted all logs
> > > 10. Since this was installed from a tarball no file /etc/sysconfig/snort
> > > exists.
> > > 11. tail -f alerts and snort.log are working great.
> > > 12. Manually made /etc/sysconfig/snort with the following with no
> > > success as well.
> > >
> > > # /etc/sysconfig/snort
> > > # $Id:
> > > #### General Configuration
> > > INTERFACE=eth2
> > > CONF=/(Path to)/snort.conf
> > > USER=snort
> > > GROUP=snort
> > > PASS_FIRST=0
> > > #### Logging & Alerting
> > > LOGDIR=/var/log/snort
> > > ALERTMODE=fast
> > > DUMP_APP=1
> > > BINARY_LOG=1
> > > NO_PACKET_LOG=0
> > > PRINT_INTERFACE=0
> > >
> > > ------------------------------------------------------------------------------
> > > Site24x7 APM Insight: Get Deep Visibility into Application Performance
> > > APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
> > > Monitor end-to-end web transactions and take corrective actions now
> > > Troubleshoot faster and improve end-user experience. Signup Now!
> > > http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140
> > > _______________________________________________
> > > Snort-users mailing list
> > > Snort-users () lists sourceforge net
> > > Go to this URL to change user options or unsubscribe:
> > > https://lists.sourceforge.net/lists/listinfo/snort-users
> > > Snort-users list archive:
> > > http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> > >
> > > Please visit http://blog.snort.org to stay current on all the latest
> > > Snort news!
>
> ------------------------------------------------------------------------------
> Site24x7 APM Insight: Get Deep Visibility into Application Performance
> APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
> Monitor end-to-end web transactions and take corrective actions now
> Troubleshoot faster and improve end-user experience. Signup Now!
> http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140
>
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>
>
>
>
>
> ------------------------------------------------------------------------------
> Site24x7 APM Insight: Get Deep Visibility into Application Performance
> APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
> Monitor end-to-end web transactions and take corrective actions now
> Troubleshoot faster and improve end-user experience. Signup Now!
> http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!