[solved] how to activate Snort event pcaps?

ThomasDr

Hello,
pfsense V2.4.4-RELEASE-p3
snort 3.2.9.9_1

I can't find any event pcaps in the /var/log/snort/ directory.
How can I activate the event pcaps logging?

regards
ThomasD

bmeeks

You should find them in a sub-directory such as /var/log/snort/snort_xxxx_xx where the xxxx_xx will be a random GUID and the physical interface name. In there you will find snort.log files. You will likely find many of those files with timestamps added to the end of them. The timestamps show when the logs were rotated. Settings on the LOG MGMT tab of Snort control how many packet log files (in kilobytes) are kept and for how long.

You can read them with tcpdump using

/usr/local/bin/tcpdump -r <file>

You can also use the Snort u2boat utility to convert them to pcaps as follows:

/usr/local/bin/u2boat -t pcap <infile> <outfile>

ThomasDr

Hello,

I take a look at these files, for the LAN interface I can see the snort.log files and can load it directly with Wireshark.
But at the WAN interface, I have only alert, app-stats.log, barnyard2, pppoe1.stats and snort_24833_pppoe1.u2 files.

regards
ThomasD

bmeeks

@ThomasDr:

The presence of *.u2 files indicates you have Barnyard2 configured and that will enable the Unified2 binary logging format. In that case, you must view those files with /usr/local/bin/u2spewfoo.

ThomasDr

@bmeeks said in how to activate Snort event pcaps?:

/usr/local/bin/u2spewfoo

Hello,

thang you, now I understand these files.

regards
ThomasD

jazzl0ver

For some reason, there're no pcap files in /var/log/snort/snort_*/
Log management tab is:

Snort is running:

Could anyone point me on how to enable them, please?