Home page logo

snort logo Snort mailing list archives

Re: running snort
From: Balla István <balla.bmf () gmail com>
Date: Thu, 2 May 2013 00:18:52 +0200

actually i m running snort with:
*/usr/local/snort/bin/snort -Q -i eth2:eth1 -c
/usr/local/snort/etc/snort.conf -D*

it produced a log file into */var/log/snort* folder: snort.u2.123456789
i want to read(back) this file with: */usr/local/snort/bin/snort -r

*in snort.conf the output is set:* output unified2: filename snort.u2,
limit 128

2013/5/1 beenph <beenph () gmail com>

readback mode?

Which software you want to use in "readback mode"?

On Wed, May 1, 2013 at 5:44 PM, Balla István <balla.bmf () gmail com> wrote:
could you write how to use it in readback mode? thanks

2013/5/1 beenph <beenph () gmail com>

On Wed, May 1, 2013 at 4:39 PM, Balla István <balla.bmf () gmail com>
sorry. snort.u2 is the log output format (unified2) with the appended
identifier: .1234557...
but why is that snort cannot read it with ./snort -r

To read unified2 file you can use

u2spewfoo (comes with snort source package)
u2bloat (to extract packet from  unified2 file, also comes with snort
source package)
snort unified perl (http://code.google.com/p/snort-unified-perl/)
barnyard2 (to process unified2 file to different output,


Introducing AppDynamics Lite, a free troubleshooting tool for Java/.NET
Get 100% visibility into your production application - at no cost.
Code-level diagnostics for performance bottlenecks with <2% overhead
Download for free and get started troubleshooting in minutes.
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:

Please visit http://blog.snort.org to stay current on all the latest Snort news!

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]