• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

[solved] how to activate Snort event pcaps?

Scheduled Pinned Locked Moved IDS/IPS
snort pcap
6 Posts 3 Posters 1.9k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • T
    ThomasDr
    last edited by ThomasDr Oct 20, 2019, 1:44 AM Oct 13, 2019, 6:46 PM

    Hello,
    pfsense V2.4.4-RELEASE-p3
    snort 3.2.9.9_1

    I can't find any event pcaps in the /var/log/snort/ directory.
    How can I activate the event pcaps logging?

    regards
    ThomasD

    1 Reply Last reply Reply Quote 0
    • B
      bmeeks
      last edited by bmeeks Oct 14, 2019, 12:24 AM Oct 14, 2019, 12:12 AM

      You should find them in a sub-directory such as /var/log/snort/snort_xxxx_xx where the xxxx_xx will be a random GUID and the physical interface name. In there you will find snort.log files. You will likely find many of those files with timestamps added to the end of them. The timestamps show when the logs were rotated. Settings on the LOG MGMT tab of Snort control how many packet log files (in kilobytes) are kept and for how long.

      You can read them with tcpdump using

      /usr/local/bin/tcpdump -r <file>
      

      You can also use the Snort u2boat utility to convert them to pcaps as follows:

      /usr/local/bin/u2boat -t pcap <infile> <outfile>
      
      1 Reply Last reply Reply Quote 1
      • T
        ThomasDr
        last edited by Oct 20, 2019, 12:28 AM

        Hello,

        I take a look at these files, for the LAN interface I can see the snort.log files and can load it directly with Wireshark.
        But at the WAN interface, I have only alert, app-stats.log, barnyard2, pppoe1.stats and snort_24833_pppoe1.u2 files.

        regards
        ThomasD

        B 1 Reply Last reply Oct 20, 2019, 12:42 AM Reply Quote 0
        • B
          bmeeks @ThomasDr
          last edited by bmeeks Oct 20, 2019, 12:42 AM Oct 20, 2019, 12:42 AM

          @ThomasDr:

          The presence of *.u2 files indicates you have Barnyard2 configured and that will enable the Unified2 binary logging format. In that case, you must view those files with /usr/local/bin/u2spewfoo.

          1 Reply Last reply Reply Quote 0
          • T
            ThomasDr
            last edited by Oct 20, 2019, 1:43 AM

            @bmeeks said in how to activate Snort event pcaps?:

            /usr/local/bin/u2spewfoo

            Hello,

            thang you, now I understand these files.

            regards
            ThomasD

            1 Reply Last reply Reply Quote 0
            • J
              jazzl0ver
              last edited by Dec 17, 2019, 2:49 PM

              For some reason, there're no pcap files in /var/log/snort/snort_*/
              Log management tab is:
              cb7ae7d7-5e59-41f6-9bf5-31eed92ca9c7-image.png
              Snort is running:
              ad0354a4-833a-4b9e-8f3b-d32c8bd015cb-image.png

              Could anyone point me on how to enable them, please?

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                [[user:consent.lead]]
                [[user:consent.not_received]]