NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Snort IDS> current

Re: [Snort-users] running snort

From: beenph (beenphgmail.com)
Date: Wed May 01 2013 - 19:07:58 CDT

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wed, May 1, 2013 at 6:18 PM, Balla István <balla.bmfgmail.com> wrote:
> actually i m running snort with:
> /usr/local/snort/bin/snort -Q -i eth2:eth1 -c
> /usr/local/snort/etc/snort.conf -D
>
> it produced a log file into /var/log/snort folder: snort.u2.123456789
> i want to read(back) this file with: /usr/local/snort/bin/snort -r
> /var/log/snort/snort.u2.123456789
>

Unified2 output is not what your snort process has read from the
network beforehand.

Unified2 is the result of events that snort triggered on the network
traffic you monitored
using its configuration and defined rules.

For snort to read a file with -r the source file needs to be a pcap file.

You could stretch the exercise to extract packets from the unified2 file
using u2bloat and then reading the output file with snort,

But depending on the rule set you have and snort configuration, its highly
improbable that those packets will re-trigger the original events
extracted from the
original unified2 file.

So maybe you could explain what you really want to do and probably people could
help you out.

-elz

------------------------------------------------------------------------------
Introducing AppDynamics Lite, a free troubleshooting tool for Java/.NET
Get 100% visibility into your production application - at no cost.
Code-level diagnostics for performance bottlenecks with <2% overhead
Download for free and get started troubleshooting in minutes.
http://p.sf.net/sfu/appdyn_d2d_ap1
_______________________________________________
Snort-users mailing list
Snort-userslists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]