Snort mailing list archives
Re: Unified2 Output
From: Jim Campbell <jim () w4bqp net>
Date: Sat, 15 Jul 2017 23:20:40 -0400
Al,Thanks for the reply. I ran a Snort 2.9.9.0 installation for six to eight months in the IPS mode. In the last month or so it became increasingly flaky as in stopping alerting for hours at a time while still passing traffic. I decided to step up to Snort 3 so I am having to learn how it works.
In retrospect I should have realized what you pointed out. I still have a lot to learn.
Thanks, Jim On 7/15/2017 10:25 PM, Al Lewis (allewi) wrote:
Sorry if I am misunderstanding but are you trying to get alerts from this pcap?Based on the command you are just reading a pcap and then trying to write something to a file.Without an alert generated the unified file should be blank.You probably need to use a -c for a config file and using -l for the logging location.https://www.snort.org/faq/readme-unified2 Albert Lewis ENGINEER.SOFTWARE ENGINEERING SOURCEfire, Inc. now part of Cisco Email: allewi () cisco comOn 7/15/17, 8:01 PM, "Snort-users on behalf of Jim Campbell" <snort-users-bounces () lists snort org on behalf of jim () w4bqp net> wrote:In my day-to-day use of Snort 3 I need for it to output its results in Unified2 format. Experimenting, I came upon something that isn't working for me. It may be a configuration issue that I don't yet understand. If I run "sudo /opt/snort/bin/snort -r ./pcaps/ie_aurora_WinXP_successfulExploitation.pcap -L dump" everything works OK. If I run "sudo /opt/snort/bin/snort -r ./pcaps/ie_aurora_WinXP_successfulExploitation.pcap -A unified2" it writes a "unified2.log.nnnnn" file in the default directory but the length is zero. What am I doing wrong / leaving out? Thanks, Jim -- "We are not human beings having a spiritual experience; we are spiritual beings having a human experience." ---Pierre Teilhard de Chardin _______________________________________________ Snort-users mailing list Snort-users () lists snort org Go to this URL to change user options or unsubscribe: https://lists.snort.org/mailman/listinfo/snort-usersPlease visit http://blog.snort.org to stay current on all the latest Snort news!
-- "We are not human beings having a spiritual experience; we are spiritual beings having a human experience." ---Pierre Teilhard de Chardin
_______________________________________________ Snort-users mailing list Snort-users () lists snort org Go to this URL to change user options or unsubscribe: https://lists.snort.org/mailman/listinfo/snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Unified2 Output Jim Campbell (Jul 15)
- Re: Unified2 Output Al Lewis (allewi) via Snort-users (Jul 15)
- <Possible follow-ups>
- Re: Unified2 Output Jim Campbell (Jul 15)
- Re: Unified2 Output Marcin Dulak via Snort-users (Jul 15)
- Re: Unified2 Output Jim Campbell (Jul 16)
- Re: Unified2 Output Marcin Dulak via Snort-users (Jul 16)
- Re: Unified2 Output Marcin Dulak via Snort-users (Jul 15)