You are not logged in.
Hey Folks - recently fired up snort using arch arm v6 and a raspberry pi. I then used yaourt to install snort as pacman didnt seem to find snort in the community repo like the docs said.
It works fairly well but whenever it writes to /var/log/snort/snort.log.* the characters it uses are unreadable. Example:
Testing with ping:
sudo snort -A console -q -u snort -g snort -c /etc/snort/snort.conf -i eth0
02/13-13:52:45.181625 [**] [1:10000001:0] ICMP test [**] [Priority: 0] {ICMP} 192.168.2.1 -> 192.168.2.3
02/13-13:52:45.181836 [**] [1:10000001:0] ICMP test [**] [Priority: 0] {ICMP} 192.168.2.3 -> 192.168.2.1
02/13-13:52:46.182778 [**] [1:10000001:0] ICMP test [**] [Priority: 0] {ICMP} 192.168.2.1 -> 192.168.2.3Writing directly to the console appears all good. But the log itself looks like this:
cat snort.log.1360777055
?ò??{??fbb?'????H?~EW@??????s>CQ?
!"#$%&'()*+,-./01234567{?rgbb??H?~]?'?ET?\@o??????s>CQ?
!"#$%&'()*+,-./01234567|??ibb?'????H?~ET8M@?????#>CQ|
!"#$%&'()*+,-./01234567|?Ojbb??H?~]?'?ET?]@o??????#>CQ| I have tried a few different output configurations at this point. Same state regardless of the output options it seems. Also tried to rebuild from scratch using another raspi with the same result (I thought i messed up my locale before compiling snort). Not quite sure what else to try. Same results leaving the snort.conf as default as possible. Any thoughts or comments?
Thanks
Offline
This is expected behavior - I needed to run snort -r to read the file.
"Snort logs are in binary PCAP format. You can read the logs with Snort itself using -r or you can also use wireshark. You can log in ASCII, but its slower than logging in binary. Ultimately, you want to log in unified2 and then use barnyard2 to read or store data to a database."
Offline