Snort mailing list archives

Re: Unified2 questions

From: Joel Esler <jesler () sourcefire com>
Date: Wed, 27 Apr 2011 10:27:20 -0400

Can't you use "pcap" output in barnyard?

J

On Wed, Apr 27, 2011 at 10:22 AM, Lay, James <james.lay () wincofoods com>wrote:

So yea…..I’m sure you all saw this coming ;)



Now that I have unified2 output, the long and short is:  what can I do with
it?  I don’t want to run barnyard and pipe to a db…I just want to see the
packets command line.  My research/results so far:



Cerberus:  Old, slow, shareware

U2boat:  errors with no packets output:

[08:10:56:~/log$] u2boat snort-unified.1303847056 ~/test.pcap

Defaulting to pcap output.

Error: incomplete record. 662559 of 1073741824 bytes read.

[08:11:01:~/log$] ls -l ~/test.pcap

-rw------- 1  0 2011-04-27 08:11 //test.pcap

U2spewfoo: errors with no results:

                [08:15:06 :~/log$] u2spewfoo snort-unified.1303847056

get_record: (2) Failed to read all of record data.

Read 662559 of 1073741824 bytes



I looked at mudpit as well, but again, it seems to be just a data
spooler/redirector.  My process for handling snort alerts is:

                See the alert in the logs

                Do a whois on the remote IP

                tshark –X the current snort.pcap file matching the remote
IP to see the raw packet caught



How does unified2 output fit into this type of response?  Thanks for any
help all.



James


------------------------------------------------------------------------------
WhatsUp Gold - Download Free Network Management Software
The most intuitive, comprehensive, and cost-effective network
management toolset available today.  Delivers lowest initial
acquisition cost and overall TCO of any competing solution.
http://p.sf.net/sfu/whatsupgold-sd
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

------------------------------------------------------------------------------
WhatsUp Gold - Download Free Network Management Software
The most intuitive, comprehensive, and cost-effective network 
management toolset available today.  Delivers lowest initial 
acquisition cost and overall TCO of any competing solution.
http://p.sf.net/sfu/whatsupgold-sd

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Unified2 questions Lay, James (Apr 27)
- Re: Unified2 questions Joel Esler (Apr 27)
  - Re: Unified2 questions Lay, James (Apr 27)
- Re: Unified2 questions waldo kitty (Apr 27)