Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

[Snort-users] running snort

624 views
Skip to first unread message

Balla István

unread,
Apr 30, 2013, 3:43:35 PM4/30/13
to
hi,

I set snort to rc.local and I see it s running as daemon. (first screenshot)



however I have to issue the command in terminal to start the service: ./snort -Q -i eth2:eth1 -c /usr/local/snort/etc/snort.conf -s
after that it works. (second screenshot)


can I dump alert or any event taken place to this terminal window or it s impossible while snort running?

please point to the appropriate chapter in snort manual (long one) where Decoding Ethernet is explained (and how to modify)


**one more thing: is "-h anyiphere" necessary in the line command once I set ipvar HOME_NET variable in snort.conf?

Thanks in advance

Joel Esler

unread,
Apr 30, 2013, 5:50:41 PM4/30/13
to
On Apr 30, 2013, at 3:43 PM, Balla István <ball...@gmail.com> wrote:

please point to the appropriate chapter in snort manual (long one) where Decoding Ethernet is explained (and how to modify)

"Decoding Ethernet" means "Snort is running now!".  I suggest you add "-D" to your Snort command line to make Snort run as a daemon and then deal with the logs it produces.

**one more thing: is "-h anyiphere" necessary in the line command once I set ipvar HOME_NET variable in snort.conf?

-h is for the command line.  If you are setting HOME_NET in your snort.conf, then no, you don't need it in your command line.

--
Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire

Balla István

unread,
May 1, 2013, 8:18:20 AM5/1/13
to
thanks for the answer Joel. snort is running as a daemon now. I wonder if you could provide a flow file with malicious traffic patterns (not so malicious, since my snort is not fine tuned yet :) that snort can read in readback mode to test it.

**are detection and prevention functioning while reading back a flow or any traffic file?

------------------------------------------------

other thing: following a basic deployment documentation i added the followings to rc.local:

/usr/local/bin/barnyard2 -c /usr/local/snort/etc/barnyard2.conf \
-G /usr/local/snort/etc/gen-msg.map \
-S /usr/local/snort/etc/sid-msg.map \
-d /var/log/snort \
-f snort.u2 \
-w /var/log/snort/barnyard2.waldo \
-D

it runs cool but what is -f snort.u2
i don t find it anywhere in the file system...

thanks


2013/4/30 Joel Esler <jes...@sourcefire.com>

Balla István

unread,
May 1, 2013, 4:39:34 PM5/1/13
to
sorry. snort.u2 is the log output format (unified2) with the appended identifier: .1234557...
but why is that snort cannot read it with ./snort -r ./log/snort.u2.12345678

error:
ERROR: Can't initialize DAQ pcap (-1) - unknown file format


2013/5/1 Balla István <ball...@gmail.com>

beenph

unread,
May 1, 2013, 4:57:32 PM5/1/13
to
On Wed, May 1, 2013 at 4:39 PM, Balla István <ball...@gmail.com> wrote:
> sorry. snort.u2 is the log output format (unified2) with the appended
> identifier: .1234557...
> but why is that snort cannot read it with ./snort -r ./log/snort.u2.12345678
>

To read unified2 file you can use

u2spewfoo (comes with snort source package)
u2bloat (to extract packet from unified2 file, also comes with snort
source package)
snort unified perl (http://code.google.com/p/snort-unified-perl/)
or
barnyard2 (to process unified2 file to different output,
www.github.com/firnsy/barnyard2)

-elz

------------------------------------------------------------------------------
Introducing AppDynamics Lite, a free troubleshooting tool for Java/.NET
Get 100% visibility into your production application - at no cost.
Code-level diagnostics for performance bottlenecks with <2% overhead
Download for free and get started troubleshooting in minutes.
http://p.sf.net/sfu/appdyn_d2d_ap1
_______________________________________________
Snort-users mailing list
Snort...@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Balla István

unread,
May 1, 2013, 6:18:52 PM5/1/13
to
actually i m running snort with:
/usr/local/snort/bin/snort -Q -i eth2:eth1 -c /usr/local/snort/etc/snort.conf -D

it produced a log file into /var/log/snort folder: snort.u2.123456789
i want to read(back) this file with: /usr/local/snort/bin/snort -r /var/log/snort/snort.u2.123456789

in snort.conf the output is set: output unified2: filename snort.u2, limit 128


2013/5/1 beenph <bee...@gmail.com>
readback mode?

Which software you want to use in "readback mode"?
-elz


On Wed, May 1, 2013 at 5:44 PM, Balla István <ball...@gmail.com> wrote:
> could you write how to use it in readback mode? thanks
>
>
> 2013/5/1 beenph <bee...@gmail.com>

beenph

unread,
May 1, 2013, 8:07:58 PM5/1/13
to
On Wed, May 1, 2013 at 6:18 PM, Balla István <ball...@gmail.com> wrote:
> actually i m running snort with:
> /usr/local/snort/bin/snort -Q -i eth2:eth1 -c
> /usr/local/snort/etc/snort.conf -D
>
> it produced a log file into /var/log/snort folder: snort.u2.123456789
> i want to read(back) this file with: /usr/local/snort/bin/snort -r
> /var/log/snort/snort.u2.123456789
>

Unified2 output is not what your snort process has read from the
network beforehand.

Unified2 is the result of events that snort triggered on the network
traffic you monitored
using its configuration and defined rules.

For snort to read a file with -r the source file needs to be a pcap file.

You could stretch the exercise to extract packets from the unified2 file
using u2bloat and then reading the output file with snort,

But depending on the rule set you have and snort configuration, its highly
improbable that those packets will re-trigger the original events
extracted from the
original unified2 file.

So maybe you could explain what you really want to do and probably people could
help you out.
Message has been deleted
0 new messages