Snort mailing list archives
Re: Snort read file to generate u2 logs.
From: "Al Lewis (allewi)" <allewi () cisco com>
Date: Wed, 22 Feb 2017 11:28:24 +0000
Yes. The place where the inspected traffic comes from (network interface or file) shouldn’t matter. Does the file/pcap traffic have bad checksums? If so add “-k none” to snort when you start it. Albert Lewis ENGINEER.SOFTWARE ENGINEERING SOURCEfire, Inc. now part of Cisco Email: allewi () cisco com<mailto:allewi () cisco com> From: Paul Li <paul () scybersecurity com<mailto:paul () scybersecurity com>> Date: Tuesday, February 21, 2017 at 11:05 PM To: allewi <allewi () cisco com<mailto:allewi () cisco com>> Cc: 'snort-users' <snort-users () lists sourceforge net<mailto:snort-users () lists sourceforge net>> Subject: Re: [Snort-users] Snort read file to generate u2 logs. (Sorry the previous email was broke. ) Al, do you indicate that Snort should generate .u2 files when it reads from a file? Thanks, Paul On Tue, Feb 21, 2017 at 11:04 PM, Paul Li <paul () scybersecurity com<mailto:paul () scybersecurity com>> wrote: Yes, Al, there's .log file generated in the directory /var/log/snort. also, the same user can generate .u2 log when snort reads directly from the network interface. So do you indicate that On Tue, Feb 21, 2017 at 10:57 PM, Al Lewis (allewi) <allewi () cisco com<mailto:allewi () cisco com>> wrote: Have you checked if the snort user has permissions to write to the output directory? Are the logs created when you run snort as root? Albert Lewis ENGINEER.SOFTWARE ENGINEERING SOURCEfire, Inc. now part of Cisco Email: allewi () cisco com<mailto:allewi () cisco com> From: Paul Li <paul () scybersecurity com<mailto:paul () scybersecurity com>> Date: Tuesday, February 21, 2017 at 10:17 PM To: 'snort-users' <snort-users () lists sourceforge net<mailto:snort-users () lists sourceforge net>> Subject: [Snort-users] Snort read file to generate u2 logs. I'm using Snort read a file to generate alerts with the following command: sudo snort -q -u snort-user -g snort-group -c /etc/snort/snort.conf -r file-name Snort can generate alerts but doesn't create u2 log files, neither other output (e.g., csv) , although the same snort.conf file will generate both alerts and .u2 files.) Wondering if there's a way Snort can generate specified format logs when reading a file. Thanks, Paul
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Snort read file to generate u2 logs. Paul Li (Feb 21)
- Re: Snort read file to generate u2 logs. Al Lewis (allewi) (Feb 21)
- Re: Snort read file to generate u2 logs. Paul Li (Feb 21)
- Re: Snort read file to generate u2 logs. Paul Li (Feb 21)
- Re: Snort read file to generate u2 logs. Paul Li (Feb 21)
- Re: Snort read file to generate u2 logs. Al Lewis (allewi) (Feb 22)
- Re: Snort read file to generate u2 logs. Al Lewis (allewi) (Feb 21)