Snort mailing list archives
Re: Unified2 Output
From: "Al Lewis \(allewi\) via Snort-users" <snort-users () lists snort org>
Date: Sun, 16 Jul 2017 02:25:35 +0000
Sorry if I am misunderstanding but are you trying to get alerts from this pcap? Based on the command you are just reading a pcap and then trying to write something to a file. Without an alert generated the unified file should be blank. You probably need to use a -c for a config file and using -l for the logging location. https://www.snort.org/faq/readme-unified2 Albert Lewis ENGINEER.SOFTWARE ENGINEERING SOURCEfire, Inc. now part of Cisco Email: allewi () cisco com On 7/15/17, 8:01 PM, "Snort-users on behalf of Jim Campbell" <snort-users-bounces () lists snort org on behalf of jim () w4bqp net> wrote:
In my day-to-day use of Snort 3 I need for it to output its results in Unified2 format. Experimenting, I came upon something that isn't working for me. It may be a configuration issue that I don't yet understand. If I run "sudo /opt/snort/bin/snort -r ./pcaps/ie_aurora_WinXP_successfulExploitation.pcap -L dump" everything works OK. If I run "sudo /opt/snort/bin/snort -r ./pcaps/ie_aurora_WinXP_successfulExploitation.pcap -A unified2" it writes a "unified2.log.nnnnn" file in the default directory but the length is zero. What am I doing wrong / leaving out? Thanks, Jim -- "We are not human beings having a spiritual experience; we are spiritual beings having a human experience." ---Pierre Teilhard de Chardin _______________________________________________ Snort-users mailing list Snort-users () lists snort org Go to this URL to change user options or unsubscribe: https://lists.snort.org/mailman/listinfo/snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
_______________________________________________ Snort-users mailing list Snort-users () lists snort org Go to this URL to change user options or unsubscribe: https://lists.snort.org/mailman/listinfo/snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Unified2 Output Jim Campbell (Jul 15)
- Re: Unified2 Output Al Lewis (allewi) via Snort-users (Jul 15)
- <Possible follow-ups>
- Re: Unified2 Output Jim Campbell (Jul 15)
- Re: Unified2 Output Marcin Dulak via Snort-users (Jul 15)
- Re: Unified2 Output Jim Campbell (Jul 16)
- Re: Unified2 Output Marcin Dulak via Snort-users (Jul 16)
- Re: Unified2 Output Marcin Dulak via Snort-users (Jul 15)