Re: Unified2 Output

[Jim Campbell <jim () w4bqp net>]

Good suggestion, Marcin. My command line was a bit different than yours 
and it did produce a "unified2.log". Earlier output files produced a 
"unified2.log.nnnnnnnn" and this one didn't so I will have to see if I 
can find why.

~$sudo /opt/snort/bin/snort -c /opt/snort/etc/snort/snort_config -R 
/opt/snort/etc/snort/snort3.rules -i enp0s25 -A unified2

~$sudo /opt/snort/bin/u2spewfoo ./unified2.log

(Event)
        sensor id: 0    event id: 1     event second: 1500228129        
event microsecond: 176958
        sig id: 12      gen id: 129     revision: 1 classification: 3
        priority: 2     ip source: 192.168.0.10 ip destination: 
192.168.0.41
        src port: 52915 dest port: 22   ip_proto: 6     impact_flag: 0  
blocked: 0
        mpls label: 0   vlan id: 0      policy id: 0    appid:

Packet
        sensor id: 0    event id: 1     event second: 1500228129
        packet second: 1500228129       packet microsecond: 176958
        linktype: 1     packet_length: 94
[    0] 00 23 AE 7F CC 12 20 1A 06 D6 4A 3A 08 00 45 00  .#.... ...J:..E.
[   16] 00 50 07 EA 40 00 80 06 71 3A C0 A8 00 0A C0 A8 .P..@...q:......
[   32] 00 29 CE B3 00 16 BE FB A0 F8 04 A3 96 60 80 18 .)...........`..
[   48] CF E6 C8 30 00 00 01 01 08 0A 0A 33 57 AE 02 38 ...0.......3W..8
[   64] 61 4D 00 00 00 10 04 EB EB 37 7B F9 84 73 85 6C aM.......7{..s.l
[   80] 73 08 B1 A0 F9 1A 1F 1E 24 A6 06 67 EF D9 s.......$..g..


Jim

On 7/16/2017 12:31 AM, Marcin Dulak wrote:
> On Sun, Jul 16, 2017 at 5:20 AM, Jim Campbell <jim () w4bqp net 
> <mailto:jim () w4bqp net>> wrote:
>
>     Al,
>
>     Thanks for the reply. I ran a Snort 2.9.9.0 installation for six
>     to eight months in the IPS mode. In the last month or so it became
>     increasingly flaky as in stopping alerting for hours at a time
>     while still passing traffic. I decided to step up to Snort 3 so I
>     am having to learn how it works.
>
>     In retrospect I should have realized what you pointed out. I still
>     have a lot to learn.
>
>
> when providing feedback please state the command that worked for you.
> People will be reading this thread in the future and will have to go 
> through all the posts to build a context and make a guess what a 
> solution was.
> Maybe the one below? Otherwise please correct.
>
> export LUA_PATH=/usr/include/snort/lua/?.lua
> export SNORT_LUA_PATH=/etc/snort
> sudo /usr/sbin/snort -l /var/log/snort -c /etc/snort/snort.lua -A 
> unified2 -v --plugin-path /usr/lib64/snort_extra -R 
> /etc/snort/rules/snort.rules -r test.pcap
>
> Marcin
>
>
>
>     Thanks,
>
>     Jim
>
>     On 7/15/2017 10:25 PM, Al Lewis (allewi) wrote:
> >     Sorry if I am misunderstanding but are you trying to get alerts
> >     from this pcap?
> >
> >     Based on the command you are just reading a pcap and then trying
> >     to write something to a file.
> >
> >     Without an alert generated the unified file should be blank.
> >
> >     You probably need to use a -c for a config file and using -l for
> >     the logging location.
> >
> >     https://www.snort.org/faq/readme-unified2
> >     <https://www.snort.org/faq/readme-unified2>
> >
> >
> >
> >     Albert Lewis
> >     ENGINEER.SOFTWARE ENGINEERING
> >     SOURCEfire, Inc. now part of Cisco
> >     Email: allewi () cisco com <mailto:allewi () cisco com>
> >
> >
> >
> >
> >
> >
> >
> >
> >     On 7/15/17, 8:01 PM, "Snort-users on behalf of Jim Campbell"
> >     <snort-users-bounces () lists snort org on behalf of jim () w4bqp net>
> >     <mailto:snort-users-bounces@lists.snort.orgonbehalfofjim () w4bqp net>
> >     wrote:
> >
> > >     In my day-to-day use of Snort 3 I need for it to output its
> > >     results in
> > >     Unified2 format. Experimenting, I came upon something that isn't
> > >     working
> > >     for me. It may be a configuration issue that I don't yet
> > >     understand.
> > >
> > >     If I run "sudo /opt/snort/bin/snort -r
> > >     ./pcaps/ie_aurora_WinXP_successfulExploitation.pcap -L dump"
> > >     everything
> > >     works OK.
> > >
> > >     If I run "sudo /opt/snort/bin/snort -r
> > >     ./pcaps/ie_aurora_WinXP_successfulExploitation.pcap -A unified2" it
> > >     writes a "unified2.log.nnnnn" file in the default directory but the
> > >     length is zero.
> > >
> > >     What am I doing wrong / leaving out?
> > >
> > >     Thanks,
> > >
> > >     Jim
> > >
> > >     -- 
> > >     "We are not human beings having a spiritual experience;
> > >     we are spiritual beings having a human experience."
> > >     ---Pierre Teilhard de Chardin
> > >
> > >     _______________________________________________
> > >     Snort-users mailing list
> > >     Snort-users () lists snort org <mailto:Snort-users () lists snort org>
> > >     Go to this URL to change user options or unsubscribe:
> > >     https://lists.snort.org/mailman/listinfo/snort-users
> > >     <https://lists.snort.org/mailman/listinfo/snort-users>
> > >
> > >     Please visit http://blog.snort.org to stay current on all the
> > >     latest Snort news!
>
>     -- 
>     "We are not human beings having a spiritual experience;
>     we are spiritual beings having a human experience."
>     ---Pierre Teilhard de Chardin
>
>
>     _______________________________________________
>     Snort-users mailing list
>     Snort-users () lists snort org <mailto:Snort-users () lists snort org>
>     Go to this URL to change user options or unsubscribe:
>     https://lists.snort.org/mailman/listinfo/snort-users
>     <https://lists.snort.org/mailman/listinfo/snort-users>
>
>     Please visit http://blog.snort.org to stay current on all the
>     latest Snort news!

_______________________________________________
Snort-users mailing list
Snort-users () lists snort org
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!