Snort mailing list archives
Re: Problem with unified2 files
From: joseph m via Snort-users <snort-users () lists snort org>
Date: Fri, 18 May 2018 13:30:06 +0900
Hi ; I've run snort from the command line - like this - snort -vd -i em4 , this generated an error dpg len > captured len so I set the snaplen to 65535 ( -p 65535) - that eliminated that issue. I am seeing data sent to stdout just fine. Now when I add -c /etc/snort/snort.conf (where I am specifying data to be outputted to the unified2 file within the config file ...nothing zero length unified2 files) ..I looked through the journal and the last message I am seeing regarding snort is: 'Commencing Packet Processing' . My guess is , and correct me if I am wrong ( and I very well may be !! since I point to a config file and I am filtering out certain IP's it can be possible that snort is simply not seeing anything to process ....I did comment out some of the IP's in the config file and I also commented out the bpf_file (most of whats in their are network scanners that we normally do not want snort to log),,,I thank you all for you time ...and appreciate any advice ...It is a learning experience indeed ..........Best to All...............Joseph M On Wed, May 16, 2018 at 2:15 AM, Muhammad Zeeshan Bhatti < zeeshan.bhatti () royalcyber com> wrote:
Thank you so much for providing the snort configuration document. *From:* Snort-users [mailto:snort-users-bounces () lists snort org] *On Behalf Of *joseph m via Snort-users *Sent:* Tuesday, May 15, 2018 9:10 AM *To:* wkitty42 () windstream net *Cc:* snort-users () lists snort org *Subject:* Re: [Snort-users] Problem with unified2 files Hello; I apologize for the delayed response. Here is what I have................. I am attaching the snort.conf (pdf format) , snort is being called with the following: '/usr/bin/snort -d -D -i em4 -u snort -g snort -c /etc/snort/snort.conf -l /var/log/snort' The startup/shutdown scripts is the snortd script which resides in /etc/rc.d/init.d. The only difference is the way it calls the init scripts in systemd fashion as opposed to Sys V- calling the scripts with ExecStop and ExecStart. The /etc/sysconfig/snort which is 'included' within snortd sets the interface , specifies the path to the snort.conf, sets the uid & gid and a variety of other settings. I will attach that as well' Here is what I am seeing when I grep out snort from /var/log/messages (attached snippet), apparently something there but zero length unified2 files ??. I believe I may have mentioned doing the snort -T giving it the em4 interface and that gave a successful configuration message. Thanks again I appreciate the response.............................Best Regards....Joseph M On Thu, May 10, 2018 at 11:32 PM, <wkitty42 () windstream net> wrote: On 05/07/2018 10:57 PM, joseph m via Snort-users wrote: I have noticed that the unified2 files are zero length if those log files are zero length then at least one of several things is wrong... 1. your log config section in your conf file... please post it so we can see what you are trying to work with... 2. your command line may be overriding your conf file settings... please post it so we can see what you are trying to work with... IF your command is executing a script, please post or point us to that script so we can see what it is doing... some scripts force some options... 3. your snort may not be seeing any traffic... are you using "-k none" on your command line? give it a try and remember the script comment above... you can see if your snort is seeing any traffic by looking at the stats it logs when you shut it down... so find your snort log file... on linux, you would generally look in /var/log/messages and grep out the snort lines ("snort\[.*\]:")... we can start there and see what other's may offer... -- NOTE: No off-list assistance is given without prior approval. *Please keep mailing list traffic on the list unless* *a signed and pre-paid contract is in effect with us.* _______________________________________________ Snort-users mailing list Snort-users () lists snort org Go to this URL to change user options or unsubscribe: https://lists.snort.org/mailman/listinfo/snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news! Please follow these rules: https://snort.org/faq/what-is- the-mailing-list-etiquette Disclaimer: This message and any files transmitted with it are confidential and privileged. If you have received it in error, please notify the sender by return e-mail and delete this message from your system. If you are not the intended recipient you are hereby notified that any dissemination, copy or disclosure of this e-mail is strictly prohibited.
_______________________________________________ Snort-users mailing list Snort-users () lists snort org Go to this URL to change user options or unsubscribe: https://lists.snort.org/mailman/listinfo/snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette
Current thread:
- Problem with unified2 files joseph m via Snort-users (May 08)
- Re: Problem with unified2 files wkitty42 (May 14)
- Re: Problem with unified2 files joseph m via Snort-users (May 15)
- Message not available
- Re: Problem with unified2 files joseph m via Snort-users (May 18)
- Re: Problem with unified2 files joseph m via Snort-users (May 15)
- Re: Problem with unified2 files wkitty42 (May 14)