Snort mailing list archives
Re: Problem with unified2 files
From: joseph m via Snort-users <snort-users () lists snort org>
Date: Tue, 15 May 2018 13:09:41 +0900
Hello; I apologize for the delayed response. Here is what I have................. I am attaching the snort.conf (pdf format) , snort is being called with the following: '/usr/bin/snort -d -D -i em4 -u snort -g snort -c /etc/snort/snort.conf -l /var/log/snort' The startup/shutdown scripts is the snortd script which resides in /etc/rc.d/init.d. The only difference is the way it calls the init scripts in systemd fashion as opposed to Sys V- calling the scripts with ExecStop and ExecStart. The /etc/sysconfig/snort which is 'included' within snortd sets the interface , specifies the path to the snort.conf, sets the uid & gid and a variety of other settings. I will attach that as well' Here is what I am seeing when I grep out snort from /var/log/messages (attached snippet), apparently something there but zero length unified2 files ??. I believe I may have mentioned doing the snort -T giving it the em4 interface and that gave a successful configuration message. Thanks again I appreciate the response.............................Best Regards....Joseph M On Thu, May 10, 2018 at 11:32 PM, <wkitty42 () windstream net> wrote:
On 05/07/2018 10:57 PM, joseph m via Snort-users wrote:I have noticed that the unified2 files are zero lengthif those log files are zero length then at least one of several things is wrong... 1. your log config section in your conf file... please post it so we can see what you are trying to work with... 2. your command line may be overriding your conf file settings... please post it so we can see what you are trying to work with... IF your command is executing a script, please post or point us to that script so we can see what it is doing... some scripts force some options... 3. your snort may not be seeing any traffic... are you using "-k none" on your command line? give it a try and remember the script comment above... you can see if your snort is seeing any traffic by looking at the stats it logs when you shut it down... so find your snort log file... on linux, you would generally look in /var/log/messages and grep out the snort lines ("snort\[.*\]:")... we can start there and see what other's may offer... -- NOTE: No off-list assistance is given without prior approval. *Please keep mailing list traffic on the list unless* *a signed and pre-paid contract is in effect with us.* _______________________________________________ Snort-users mailing list Snort-users () lists snort org Go to this URL to change user options or unsubscribe: https://lists.snort.org/mailman/listinfo/snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news! Please follow these rules: https://snort.org/faq/what-is- the-mailing-list-etiquette
Attachment:
snort.conf.pdf
Description:
Attachment:
sysconf_snort.pdf
Description:
_______________________________________________ Snort-users mailing list Snort-users () lists snort org Go to this URL to change user options or unsubscribe: https://lists.snort.org/mailman/listinfo/snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette
Current thread:
- Problem with unified2 files joseph m via Snort-users (May 08)
- Re: Problem with unified2 files wkitty42 (May 14)
- Re: Problem with unified2 files joseph m via Snort-users (May 15)
- Message not available
- Re: Problem with unified2 files joseph m via Snort-users (May 18)
- Re: Problem with unified2 files joseph m via Snort-users (May 15)
- Re: Problem with unified2 files wkitty42 (May 14)