Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Snort3 with ELK

From: Waiting Zeng <waiting () edison tech>
Date: Tue, 24 Jul 2018 10:14:27 +0800
Thanks very much, I build with master and it is fine now. Did you know how
to test the rules to verify it is OK?

On Tue, Jul 24, 2018 at 4:40 AM, Russ <rucombs () cisco com> wrote:


Hi Waiting,

Re the json error:  looks like that post omitted mention of snort3_extra
so I'm guessing you didn't build and install the extras.  With build 243,
json support was in the extras.  If you get the latest from github, json
support is in snort3 so you won't need extras:

https://github.com/snort3/snort3.git

Re running ok:  that really depends on what you are trying to do.  Please
have a look at the snort3_demo repo which has many working examples to help
get you started:

https://github.com/snort3/snort3_demo.git

Thanks
Russ



On 7/22/18 10:17 PM, Waiting Zeng wrote:

I follow the link https://blog.snort.org/2017/11/snort-30-with-
elasticsearch-logstash.html for setup. but have some issue.
#1, error log
--------------------------------------------------
o")~   Snort++ 3.0.0-243
--------------------------------------------------
Loading /usr/local/snort/etc/snort/snort.lua:
        ssh
        pop
        binder
        stream_tcp
        gtp_inspect
        dce_http_proxy
        stream_icmp
        normalizer
        ftp_server
        stream_udp
        dce_smb
        modbus
        ips
        ssl
        latency
        wizard
        appid
        file_id
        ftp_data
        back_orifice
        smtp
        port_scan
        dce_http_server
        dce_tcp
        telnet
        classifications
        sip
        rpc_decode
        http_inspect
        stream_ip
        stream_user
        dnp3
        ftp_client
        stream
        references
        arp_spoof
        dns
        dce_udp
        imap
        stream_file
Finished /usr/local/snort/etc/snort/snort.lua.
ERROR: unknown logger alert_json
Loading rules:
Loading snort3-community-rules/snort3-community.rules:
Finished snort3-community-rules/snort3-community.rules.
Finished rules.
--------------------------------------------------
rule counts
       total rules loaded: 829
               text rules: 829
            option chains: 829
            chain headers: 46
--------------------------------------------------
port rule counts
             tcp     udp    icmp      ip
     any      63       3       0       0
     src     124       3       0       0
     dst     539      98       0       0
    both       0       1       0       0
   total     726     105       0       0
--------------------------------------------------
flowbits
                  defined: 20
              not checked: 11
                  not set: 3
--------------------------------------------------
service rule counts - tcp    to-srv  to-cli
                      dns:        1       0
                      ftp:        7       2
                 ftp-data:        0       8
                     http:      485      92
                     imap:        0       8
                      irc:        4       1
              netbios-ssn:       15       1
                     pop3:        0       8
                     smtp:       16       0
                      ssl:       14      31
                   telnet:        1       0
                    total:      543     151
--------------------------------------------------
service rule counts - udp    to-srv  to-cli
                      dns:       88       2
                     http:        4       0
                    total:       92       2
--------------------------------------------------
fast pattern port groups        src     dst     any
                   packet:       13      24       2
--------------------------------------------------
fast pattern service groups  to-srv  to-cli
                   packet:       10       6
                      key:        1       0
                   header:        1       4
                     body:        1       0
                     file:        2       4
--------------------------------------------------
search engine
                instances: 65
                 patterns: 2719
            pattern chars: 49786
               num states: 38972
         num match states: 2649
             memory scale: MB
             total memory: 1.04895
           pattern memory: 0.151139
        match list memory: 0.384735
        transition memory: 0.505138
--------------------------------------------------
pcap DAQ configured to passive.
FATAL: see prior 1 errors (0 warnings)
Fatal Error, Quitting..


#2, how to test if the snort3 have run fine?

--
Thank
Waiting


_______________________________________________
Snort-users mailing listSnort-users () lists snort org
Go to this URL to change user options or unsubscribe:https://lists.snort.org/mailman/listinfo/snort-users

      To unsubscribe, send an email to:
      snort-users-leave () lists snort org

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette






-- 
Thank
Waiting

_______________________________________________
Snort-users mailing list
Snort-users () lists snort org
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users

        To unsubscribe, send an email to:
        snort-users-leave () lists snort org

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette
Previous By Date Next
Previous By Thread Next

Current thread: