Re: unified2 logs are empty

[Kw Luey <kumwengluey () gmail com>]

Hi, 

Thanks for the help. The "outout" was a typing mistake in this mail. 

I will try to look at the snort.conf again. 

Thanks for the help. 

Regards,
Kw

On Jul 9, 2010, at 8:38 PM, Nick Moore <nmoore () sourcefire com> wrote:

> KW, 
>
> A couple of things:
> Portscans do not always yield events. It depends on your preprocessor config. A more reliable method of creating 
> events in a lab or very small home network is to create a custom rule in local.rules like "alert tcp $HOME_NET any -> 
> $EXTERNAL_NET 80 (msg: "someone surfed the web"; sid: 1000001)". Be careful with that one: I use it for testing Snort 
> at home and just clicking on a couple of web pages can generate hundreds of events. If you are in a network with more 
> than one person, try something more limited, like replacing $HOME_NET with your workstation IP. 
> I'm assuming that your statement below is a typo: outout unified2: filename snort.u2, limit 128. It should and 
> probably does read output, not outout. Snort would most likely have failed to start if outout was there, but please 
> double check.
> If these suggestions don't work for you, please include your snort.conf, barnyard2.conf and the command you use to 
> start snort in your reply to the list. It really helps give a better idea of where to look for issues. 
> Thanks and happy snorting!
>
> Nick
>
> On Fri, Jul 9, 2010 at 12:58 AM, Kum Weng Luey <kumwengluey () gmail com> wrote:
> Hi all,
>  
> I have configured and setup Snort-2.8.6 with barnyard2-1.8 and am facing problems with unified2 logs. The setup and 
> installation of Snort and barnyard with mysql yield no errors.
>  
> However nothing is being passed to the unified2 logs. I have done a portscan on the machine itself but the logs are 
> still empty. What could be wrong ?
>  
> Hopefully someone could help me with it.
>  
> snort.conf unified2 config
>  
> outout unified2: filename snort.u2, limit 128
>  
>  
>  
> Regards,
> KW
>
> ------------------------------------------------------------------------------
> This SF.net email is sponsored by Sprint
> What will you do first with EVO, the first 4G phone?
> Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>
>
> -- 
> Nick Moore, SFCE, CISSP, CISA
> Sr. Systems Engineer
> Voice 708-336-9041
> Email nick.moore () sourcefire com
> IM    nickgmoore (Yahoo)
>       nickgmoore38 (AIM)
>
>    ,,_
>   o"  )~   Sourcefire - The Creators of Snort
>    ''''
>
> www.sourcefire.com         www.snort.org
------------------------------------------------------------------------------
This SF.net email is sponsored by Sprint
What will you do first with EVO, the first 4G phone?
Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users