Home page logo
/

snort logo Snort mailing list archives

Re: running snort
From: Balla István <balla.bmf () gmail com>
Date: Thu, 2 May 2013 00:18:52 +0200

actually i m running snort with:
*/usr/local/snort/bin/snort -Q -i eth2:eth1 -c
/usr/local/snort/etc/snort.conf -D*

it produced a log file into */var/log/snort* folder: snort.u2.123456789
i want to read(back) this file with: */usr/local/snort/bin/snort -r
/var/log/snort/snort.u2.123456789

*in snort.conf the output is set:* output unified2: filename snort.u2,
limit 128
*


2013/5/1 beenph <beenph () gmail com>

readback mode?

Which software you want to use in "readback mode"?
-elz


On Wed, May 1, 2013 at 5:44 PM, Balla István <balla.bmf () gmail com> wrote:
could you write how to use it in readback mode? thanks


2013/5/1 beenph <beenph () gmail com>

On Wed, May 1, 2013 at 4:39 PM, Balla István <balla.bmf () gmail com>
wrote:
sorry. snort.u2 is the log output format (unified2) with the appended
identifier: .1234557...
but why is that snort cannot read it with ./snort -r
./log/snort.u2.12345678


To read unified2 file you can use

u2spewfoo (comes with snort source package)
u2bloat (to extract packet from  unified2 file, also comes with snort
source package)
snort unified perl (http://code.google.com/p/snort-unified-perl/)
or
barnyard2 (to process unified2 file to different output,
www.github.com/firnsy/barnyard2)

-elz



------------------------------------------------------------------------------
Introducing AppDynamics Lite, a free troubleshooting tool for Java/.NET
Get 100% visibility into your production application - at no cost.
Code-level diagnostics for performance bottlenecks with <2% overhead
Download for free and get started troubleshooting in minutes.
http://p.sf.net/sfu/appdyn_d2d_ap1
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault