[solved] how to activate Snort event pcaps?
-
Hello,
pfsense V2.4.4-RELEASE-p3
snort 3.2.9.9_1I can't find any event pcaps in the /var/log/snort/ directory.
How can I activate the event pcaps logging?regards
ThomasD -
You should find them in a sub-directory such as /var/log/snort/snort_xxxx_xx where the xxxx_xx will be a random GUID and the physical interface name. In there you will find
snort.log
files. You will likely find many of those files with timestamps added to the end of them. The timestamps show when the logs were rotated. Settings on the LOG MGMT tab of Snort control how many packet log files (in kilobytes) are kept and for how long.You can read them with tcpdump using
/usr/local/bin/tcpdump -r <file>
You can also use the Snort
u2boat
utility to convert them to pcaps as follows:/usr/local/bin/u2boat -t pcap <infile> <outfile>
-
Hello,
I take a look at these files, for the LAN interface I can see the snort.log files and can load it directly with Wireshark.
But at the WAN interface, I have only alert, app-stats.log, barnyard2, pppoe1.stats and snort_24833_pppoe1.u2 files.regards
ThomasD -
The presence of *.u2 files indicates you have Barnyard2 configured and that will enable the Unified2 binary logging format. In that case, you must view those files with
/usr/local/bin/u2spewfoo
. -
@bmeeks said in how to activate Snort event pcaps?:
/usr/local/bin/u2spewfoo
Hello,
thang you, now I understand these files.
regards
ThomasD -
For some reason, there're no pcap files in /var/log/snort/snort_*/
Log management tab is:
Snort is running:
Could anyone point me on how to enable them, please?