Snort mailing list archives

Re: Snort++ Build 239

From: Jim Campbell <jim () w4bqp net>
Date: Tue, 8 Aug 2017 11:22:14 -0400

Russ,

I believe that I have Snort++ outputting the unified2x log files.Following is the command line that I am using (I've moved the rules filespecification into snort.lua.)

sudo /opt/snort/bin/snort -Q -q -c /opt/snort/etc/snort/snort.lua --daqafpacket -i enp1s0:enp4s0 --plugin-path /opt/snort/lib/snort_extra -Aunified2x


This is the u2spewfoo output for one of the unified2x records:

(Event)

sensor id: 0 event id: 1 event second: 1502204570event microsecond: 285494

        sig id: 15      gen id: 129     revision: 1 classification: 3

priority: 2 ip source: 192.168.254.2 ip destination:54.174.67.216src port: 53313 dest port: 443 ip_proto: 6 impact_flag: 0blocked: 0

        mpls label: 0   vlan id: 0      policy id: 0    appid:

Packet
        sensor id: 0    event id: 1     event second: 1502204570
        packet second: 1502204570       packet microsecond: 285494
        linktype: 1     packet_length: 60
[    0] 00 26 91 56 78 0B B0 7F B9 1A 2E FF 08 00 45 00 .&.Vx.........E.
[   16] 00 28 57 9E 40 00 3F 06 AB 00 C0 A8 FE 02 36 AE .(W.@.?.......6.
[   32] 43 D8 D0 41 01 BB 9D 2A 41 7A 00 00 00 00 50 04 C..A...*Az....P.
[   48] 00 00 C6 0D 00 00 00 00 00 00 00 00 ............

I've got some tweaking to do. For example my unified2x file is in /home/jim.

Thanks for your help.

Jim

On 8/7/2017 12:06 PM, Russ wrote:

On 8/7/17 11:53 AM, Jim Campbell wrote:
Now that I have a running (though back-level) IPS I'll play withgetting the unified2x logger working. For clarification, does thismean that I can use Snort++ and the unified2x logger will outputrecords understandable by Barnyard2?
Yes. You will get the same event types as 2X. The difference is thatSnort++ data buffers records will not be handled. I'm looking intowhat can be done to just make that work until the tool chains areupdated. But this will get you back to where you were before the newevents were added.


_______________________________________________
Snort-users mailing list
Snort-users () lists snort org
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

Re: Snort++ Build 239, (continued)
- Re: Snort++ Build 239 Jim Campbell (Jul 29)
  - Re: Snort++ Build 239 Russ via Snort-users (Jul 31)
    - Re: Snort++ Build 239 Jim Campbell (Jul 31)
    - Re: Snort++ Build 239 Jim Campbell (Jul 31)
    - Re: Snort++ Build 239 Russ via Snort-users (Aug 07)
    - Re: Snort++ Build 239 Marcin Dulak via Snort-users (Aug 07)
    - Re: Snort++ Build 239 Jim Campbell (Aug 07)
    - Re: Snort++ Build 239 Russ via Snort-users (Aug 07)
    - Re: Snort++ Build 239 Jim Campbell (Aug 07)
    - Re: Snort++ Build 239 Russ via Snort-users (Aug 07)
    - Re: Snort++ Build 239 Jim Campbell (Aug 08)
    - Re: Snort++ Build 239 Russ via Snort-users (Aug 09)
- Snort++ Build 239 Jim Campbell (Aug 24)