Re: Unified2 Output

[Marcin Dulak via Snort-users <snort-users () lists snort org>]

On Sun, Jul 16, 2017 at 5:20 AM, Jim Campbell <jim () w4bqp net> wrote:

> Al,
>
> Thanks for the reply. I ran a Snort 2.9.9.0 installation for six to eight
> months in the IPS mode. In the last month or so it became increasingly
> flaky as in stopping alerting for hours at a time while still passing
> traffic. I decided to step up to Snort 3 so I am having to learn how it
> works.
>
> In retrospect I should have realized what you pointed out. I still have a
> lot to learn.

when providing feedback please state the command that worked for you.
People will be reading this thread in the future and will have to go
through all the posts to build a context and make a guess what a solution
was.
Maybe the one below? Otherwise please correct.

export LUA_PATH=/usr/include/snort/lua/?.lua
export SNORT_LUA_PATH=/etc/snort
sudo /usr/sbin/snort -l /var/log/snort -c /etc/snort/snort.lua -A unified2
-v --plugin-path /usr/lib64/snort_extra -R /etc/snort/rules/snort.rules -r
test.pcap

Marcin


> Thanks,
>
> Jim
>
> On 7/15/2017 10:25 PM, Al Lewis (allewi) wrote:
>
>
> Sorry if I am misunderstanding but are you trying to get alerts from this
> pcap?
>
> Based on the command you are just reading a pcap and then trying to write
> something to a file.
>
> Without an alert generated the unified file should be blank.
>
> You probably need to use a -c for a config file and using -l for the
> logging location.
>
> https://www.snort.org/faq/readme-unified2
>
>
>
> Albert Lewis
> ENGINEER.SOFTWARE ENGINEERING
> SOURCEfire, Inc. now part of Cisco
> Email: allewi () cisco com
>
>
>
>
>
>
>
>
> On 7/15/17, 8:01 PM, "Snort-users on behalf of Jim Campbell"
> <snort-users-bounces () lists snort org on behalf of jim () w4bqp net>
> <snort-users-bounces@lists.snort.orgonbehalfofjim () w4bqp net> wrote:
>
> In my day-to-day use of Snort 3 I need for it to output its results in
> Unified2 format. Experimenting, I came upon something that isn't working
> for me. It may be a configuration issue that I don't yet understand.
>
> If I run "sudo /opt/snort/bin/snort -r
> ./pcaps/ie_aurora_WinXP_successfulExploitation.pcap  -L dump" everything
> works OK.
>
> If I run "sudo /opt/snort/bin/snort -r
> ./pcaps/ie_aurora_WinXP_successfulExploitation.pcap  -A unified2" it
> writes a "unified2.log.nnnnn" file in the default directory but the
> length is zero.
>
> What am I doing wrong / leaving out?
>
> Thanks,
>
> Jim
>
> --
> "We are not human beings having a spiritual experience;
> we are spiritual beings having a human experience."
> ---Pierre Teilhard de Chardin
>
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists snort org
> Go to this URL to change user options or unsubscribe:
> https://lists.snort.org/mailman/listinfo/snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>
> --
> "We are not human beings having a spiritual experience;
> we are spiritual beings having a human experience."
> ---Pierre Teilhard de Chardin
>
>
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists snort org
> Go to this URL to change user options or unsubscribe:
> https://lists.snort.org/mailman/listinfo/snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
_______________________________________________
Snort-users mailing list
Snort-users () lists snort org
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!