Re: Unified2 Missing event record

[Ron H via Snort-devel <snort-devel () lists snort org>]

On Tue, Jul 16, 2019 at 8:03 PM Ron H <ronh.work () gmail com> wrote:

> Hi Albert,
> I running Snort as IDS  in inline mode - Using Daq PFRING ZC mode.
>
> *Snort Command: *
> snort -c snort.conf --daq-dir /usr/local/lib/daq --daq-mode passive --daq
> pfring_zc -i zc:100@0
>
> *Snort configuration:*
>  My snort configuration download from snort.com website and compatible
> with my snort version (2.9.11.1)
>
> *Unified2 configuraton in snort.conf:*
> output unified2: filename /usr/local/app/snort/unified2/snort.unifed2,
> limit 100M
>
> I will check if issue happening on the most recent version of snort.
>
> Thanks,
> Ron. :)
>
>
>
>
>
> On Tue, Jul 16, 2019 at 7:50 PM Ron H <ronh.work () gmail com> wrote:
>
> > More details:
> > Our application creates pcaps files from unified2 snort output.
> > The application read unified2 records (Event record and Packet record)
> > The issue is Snort writes unifed2 files frequently without event record
> > (Only Packet record)
> >
> > This situation can be normal?
> >
> > Thanks,
> > Ron :)
> >
> >
> > On Tue, Jul 16, 2019 at 7:42 PM Ron H <ronh.work () gmail com> wrote:
> >
> > > UP! :)
> > > Does someone know this issue?
> > >
> > > On Mon, Jul 8, 2019 at 7:31 PM Ron H <ronh.work () gmail com> wrote:
> > >
> > > > Hey Snort devel,
> > > >
> > > > We have an issue with Snort Unified2 output.
> > > > Snort write packet record without write event record.
> > > > This issue happens frequently.
> > > >
> > > > out snort version is *2.9.11.1*
> > > > Snort run on Ubuntu 16.04 Docker container
> > > >
> > > > We are would be grateful to any assistance.
> > > > Thanks!
_______________________________________________
Snort-devel mailing list
Snort-devel () lists snort org
https://lists.snort.org/mailman/listinfo/snort-devel

Please visit http://blog.snort.org for the latest news about Snort!