[solved] how to activate Snort event pcaps?



  • Hello,
    pfsense V2.4.4-RELEASE-p3
    snort 3.2.9.9_1

    I can't find any event pcaps in the /var/log/snort/ directory.
    How can I activate the event pcaps logging?

    regards
    ThomasD



  • You should find them in a sub-directory such as /var/log/snort/snort_xxxx_xx where the xxxx_xx will be a random GUID and the physical interface name. In there you will find snort.log files. You will likely find many of those files with timestamps added to the end of them. The timestamps show when the logs were rotated. Settings on the LOG MGMT tab of Snort control how many packet log files (in kilobytes) are kept and for how long.

    You can read them with tcpdump using

    /usr/local/bin/tcpdump -r <file>
    

    You can also use the Snort u2boat utility to convert them to pcaps as follows:

    /usr/local/bin/u2boat -t pcap <infile> <outfile>
    


  • Hello,

    I take a look at these files, for the LAN interface I can see the snort.log files and can load it directly with Wireshark.
    But at the WAN interface, I have only alert, app-stats.log, barnyard2, pppoe1.stats and snort_24833_pppoe1.u2 files.

    regards
    ThomasD



  • @ThomasDr:

    The presence of *.u2 files indicates you have Barnyard2 configured and that will enable the Unified2 binary logging format. In that case, you must view those files with /usr/local/bin/u2spewfoo.



  • @bmeeks said in how to activate Snort event pcaps?:

    /usr/local/bin/u2spewfoo

    Hello,

    thang you, now I understand these files.

    regards
    ThomasD



  • For some reason, there're no pcap files in /var/log/snort/snort_*/
    Log management tab is:
    cb7ae7d7-5e59-41f6-9bf5-31eed92ca9c7-image.png
    Snort is running:
    ad0354a4-833a-4b9e-8f3b-d32c8bd015cb-image.png

    Could anyone point me on how to enable them, please?


Log in to reply