Snort mailing list archives
Re: Unified 2 not working. I need help.
From: James Lay <jlay () slave-tothe-box net>
Date: Thu, 28 Jan 2016 07:07:34 -0700
At this time I will defer this to someone else on the list. James On Wed, 2016-01-27 at 15:00 -0600, Matthew White wrote:
yes I tried that and still a no go. On Mon, Jan 25, 2016 at 10:21 AM, James Lay <jlay () slave-tothe-box net> wrote: Try: output unified2: filename /(path)/external1.u2 James On 2016-01-25 08:52, Matthew White wrote: > Ran /(path)/snort -D -q -i eth3 -F /(path)/internalbf.filter > -c /(path)/snort.conf.internal as root but still the same. > Also ran /(path)/snort -i eth3 -F /(path)/internalbf.filter > -c /(path)/snort.conf.internal as root but still the same. > > Whats funny is that output alert_unified2: works fine. > > > > > # unified2 > # Recommended for most installs > # output unified2: filename merged.log, limit 128, nostamp, > mpls_event_types, vlan_event_types > output unified2: filename /(path)/external1-snort.log, limit > 128, vlan_event_types > output alert_unified2: filename external1-snort.alert, limit > 128 > > > On Sat, Jan 23, 2016 at 5:13 AM, James Lay > <jlay () slave-tothe-box net> wrote: > > At this point I would test as root...otherwise > please post a sanitized version of your complete > snort.conf. > > James > > > > On Fri, 2016-01-22 at 16:02 -0600, Matthew White > wrote: > > > Tried your steps and still no .u2 file. > > On Fri, Jan 22, 2016 at 2:59 PM, James Lay > > <jlay () slave-tothe-box net> wrote: > > > > > Specify full path in your snort.conf: > > > > > > output unified2: > > > filename /your/path/here/bleh.u2 > > > > > > for testing remove the -D and -q from your > > > command line. > > > > > > James > > > On 2016-01-22 13:50, Matthew White wrote: > > > > > > > tried /usr/local/bin/snort -l /var/log/snort > > > > -D -q -i eth3 -F /etc/snort/internalbpf.filter > > > > -c /usr/src/snort-2.9.8.0/etc/snort.conf.internal -u snort still to no avail. > > > > On Fri, Jan 22, 2016 at 2:40 PM, Avery Rozar > > > > <avery.rozar () insecure-it com> wrote: > > > > > > > > > Try adding "-l /var/log/snort" to step # 4. > > > > > On Fri, Jan 22, 2016 at 3:33 PM, Matthew > > > > > White <on3moda () gmail com> wrote: > > > > > > > > > > > 1. The specified unified 2 log is not > > > > > > being created. > > > > > > 2. Instead I get the snort.log.date > > > > > > (tcpdump) default and alerts. > > > > > > 3. snort.conf - output unified2: filename > > > > > > internal.u2, limit 128, vlan_event_types > > > > > > 4. running snort with > > > > > > sudo /usr/local/bin/snort -D -q -i eth3 > > > > > > -F /etc/snort/internalbpf.filter > > > > > > -c /usr/src/snort-2.9.8.0/etc/snort.conf.internal -u snort > > > > > > 5. No errors or warnings when grep > > > > > > from /var/log/messages > > > > > > 6. Running RHEL 6 > > > > > > 7. Installed and compiled from source > > > > > > 8. Snort has rwx for /var/log/snort > > > > > > 9. Deleted all logs > > > > > > 10. Since this was installed from a > > > > > > tarball no file /etc/sysconfig/snort > > > > > > exists. > > > > > > 11. tail -f alerts and snort.log are > > > > > > working great. > > > > > > 12. Manually made /etc/sysconfig/snort > > > > > > with the following with no success as > > > > > > well. > > > > > > > > > > > > # /etc/sysconfig/snort > > > > > > # $Id: > > > > > > #### General Configuration > > > > > > INTERFACE=eth2 > > > > > > CONF=/(Path to)/snort.conf > > > > > > USER=snort > > > > > > GROUP=snort > > > > > > PASS_FIRST=0 > > > > > > #### Logging & Alerting > > > > > > LOGDIR=/var/log/snort > > > > > > ALERTMODE=fast > > > > > > DUMP_APP=1 > > > > > > BINARY_LOG=1 > > > > > > NO_PACKET_LOG=0 > > > > > > PRINT_INTERFACE=0 > > > > > > > > > > > > ------------------------------------------------------------------------------ > > > > > > Site24x7 APM Insight: Get Deep Visibility > > > > > > into Application Performance > > > > > > APM + Mobile APM + RUM: Monitor 3 App > > > > > > instances at just $35/Month > > > > > > Monitor end-to-end web transactions and > > > > > > take corrective actions now > > > > > > Troubleshoot faster and improve end-user > > > > > > experience. Signup Now! > > > > > > http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140 > > > > > > _______________________________________________ > > > > > > Snort-users mailing list > > > > > > Snort-users () lists sourceforge net > > > > > > Go to this URL to change user options or > > > > > > unsubscribe: > > > > > > https://lists.sourceforge.net/lists/listinfo/snort-users > > > > > > Snort-users list archive: > > > > > > http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users > > > > > > > > > > > > Please visit http://blog.snort.org to stay > > > > > > current on all the latest Snort news! > > > > > > > > ------------------------------------------------------------------------------ > > > > Site24x7 APM Insight: Get Deep Visibility into > > > > Application Performance > > > > APM + Mobile APM + RUM: Monitor 3 App > > > > instances at just $35/Month > > > > Monitor end-to-end web transactions and take > > > > corrective actions now > > > > Troubleshoot faster and improve end-user > > > > experience. Signup Now! > > > > http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140 > > > > _______________________________________________ > > > > Snort-users mailing list > > > > Snort-users () lists sourceforge net > > > > Go to this URL to change user options or > > > > unsubscribe: > > > > https://lists.sourceforge.net/lists/listinfo/snort-users > > > > Snort-users list archive: > > > > http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users > > > > > > > > Please visit http://blog.snort.org to stay > > > > current on all the latest Snort news! > > > > > > > > > > > > > > > > > > ------------------------------------------------------------------------------ > > > Site24x7 APM Insight: Get Deep Visibility into > > > Application Performance > > > APM + Mobile APM + RUM: Monitor 3 App instances > > > at just $35/Month > > > Monitor end-to-end web transactions and take > > > corrective actions now > > > Troubleshoot faster and improve end-user > > > experience. Signup Now! > > > http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140 > > > _______________________________________________ > > > Snort-users mailing list > > > Snort-users () lists sourceforge net > > > Go to this URL to change user options or > > > unsubscribe: > > > https://lists.sourceforge.net/lists/listinfo/snort-users > > > Snort-users list archive: > > > http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users > > > > > > Please visit http://blog.snort.org to stay > > > current on all the latest Snort news! > > > > > > > > ------------------------------------------------------------------------------ > > Site24x7 APM Insight: Get Deep Visibility into Application Performance > > APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month > > Monitor end-to-end web transactions and take corrective actions now > > Troubleshoot faster and improve end-user experience. Signup Now! > > http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140 > > _______________________________________________ > > Snort-users mailing list > > Snort-users () lists sourceforge net > > Go to this URL to change user options or unsubscribe: > > https://lists.sourceforge.net/lists/listinfo/snort-users > > Snort-users list archive: > > http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users > > > > Please visit http://blog.snort.org to stay current on all the latest Snort news! > > > > > > ------------------------------------------------------------------------------ > Site24x7 APM Insight: Get Deep Visibility into > Application Performance > APM + Mobile APM + RUM: Monitor 3 App instances at > just $35/Month > Monitor end-to-end web transactions and take > corrective actions now > Troubleshoot faster and improve end-user experience. > Signup Now! > http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140 > _______________________________________________ > Snort-users mailing list > Snort-users () lists sourceforge net > Go to this URL to change user options or > unsubscribe: > https://lists.sourceforge.net/lists/listinfo/snort-users > Snort-users list archive: > http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users > > Please visit http://blog.snort.org to stay current > on all the latest Snort news! ------------------------------------------------------------------------------ Site24x7 APM Insight: Get Deep Visibility into Application Performance APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month Monitor end-to-end web transactions and take corrective actions now Troubleshoot faster and improve end-user experience. Signup Now! http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news! ------------------------------------------------------------------------------ Site24x7 APM Insight: Get Deep Visibility into Application Performance APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month Monitor end-to-end web transactions and take corrective actions now Troubleshoot faster and improve end-user experience. Signup Now! http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ Site24x7 APM Insight: Get Deep Visibility into Application Performance APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month Monitor end-to-end web transactions and take corrective actions now Troubleshoot faster and improve end-user experience. Signup Now! http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Unified 2 not working. I need help. Matthew White (Jan 22)
- Re: Unified 2 not working. I need help. Avery Rozar (Jan 22)
- Re: Unified 2 not working. I need help. Matthew White (Jan 22)
- Re: Unified 2 not working. I need help. James Lay (Jan 22)
- Re: Unified 2 not working. I need help. Matthew White (Jan 22)
- Re: Unified 2 not working. I need help. James Lay (Jan 23)
- Re: Unified 2 not working. I need help. Matthew White (Jan 25)
- Re: Unified 2 not working. I need help. James Lay (Jan 25)
- Re: Unified 2 not working. I need help. Matthew White (Jan 27)
- Re: Unified 2 not working. I need help. James Lay (Jan 28)
- Re: Unified 2 not working. I need help. Matthew White (Jan 29)
- Re: Unified 2 not working. I need help. Matthew White (Jan 29)
- Re: Unified 2 not working. I need help. Matthew White (Feb 01)
- Re: Unified 2 not working. I need help. Matthew White (Jan 22)
- Re: Unified 2 not working. I need help. Matthew White (Jan 29)
- Re: Unified 2 not working. I need help. Matthew White (Jan 29)
- Re: Unified 2 not working. I need help. Avery Rozar (Jan 22)