[prev in list] [next in list] [prev in thread] [next in thread]
List: snort-users
Subject: Re: [Snort-users] Alert Output to CSV - File gets created but does not get populated with any data.
From: Robert Rusnak <robert () ahearn ! com>
Date: 2020-03-31 20:49:58
Message-ID: 9E6971AF4DDA0A4E934E1CD8EFDC1A0802B39ECE96 () ASEXCH1 ! ahearn ! ca
[Download RAW message or body]
[Attachment #2 (text/plain)]
Hello Al
Adding the rule to the local.rules fixed the issue.
Thank you very much for your help (and your patience).
Also a Thank you to everyone who contributed as well.
Rob
(416) 847-4902
From: Al Lewis (allewi) <allewi@cisco.com>
Sent: March 30, 2020 6:07 PM
To: Robert Rusnak <robert@ahearn.com>
Cc: snort-users@lists.snort.org
Subject: Re: [Snort-users] Alert Output to CSV - File gets created but does not get \
populated with any data.
Hello Robert,
It may be best to start with the basics first before trying to tackle specific \
detection issues. http://manual-snort-org.s3-website-us-east-1.amazonaws.com/node28.html
Create a local rule, something like
"alert ip any any -> any any (msg:"ANY TO ANY"; sid:1000000)"
should alert on any IP traffic.
Then start snort (include the option to disable checksums ‘-k none') using -r \
to read a pcap directly.
i.e "./bin/snort -c etc/snort.conf -r etc/anytraffic.pcap -l . -k none -q"
You should see some alerts logged in the CSV file after generating the traffic. Check \
the alerts logged (listed in the exit stats).
Albert Lewis
ENGINEER.SOFTWARE ENGINEERING
Cisco Systems Inc.
Email: allewi@cisco.com<mailto:allewi@cisco.com>
From: Robert Rusnak <robert@ahearn.com<mailto:robert@ahearn.com>>
Date: Monday, March 30, 2020 at 5:28 PM
To: "Joel Esler (jesler)" <jesler@cisco.com<mailto:jesler@cisco.com>>
Cc: "Al Lewis (allewi)" <allewi@cisco.com<mailto:allewi@cisco.com>>, \
"snort-users@lists.snort.org<mailto:snort-users@lists.snort.org>" \
<snort-users@lists.snort.org<mailto:snort-users@lists.snort.org>>
Subject: RE: [Snort-users] Alert Output to CSV - File gets created but does not get \
populated with any data.
Thanks Joel for the information.
Rob
(416) 847-4902
From: Joel Esler (jesler) <jesler@cisco.com<mailto:jesler@cisco.com>>
Sent: March 30, 2020 4:51 PM
To: Robert Rusnak <robert@ahearn.com<mailto:robert@ahearn.com>>
Cc: Al Lewis (allewi) <allewi@cisco.com<mailto:allewi@cisco.com>>; \
snort-users@lists.snort.org<mailto:snort-users@lists.snort.org>
Subject: Re: [Snort-users] Alert Output to CSV - File gets created but does not get \
populated with any data.
Flowbit warnings should have nothing to do with CSV output.
Also, using PulledPork should resolve these flowbit errors.
On Mar 30, 2020, at 3:55 PM, Robert Rusnak \
<robert@ahearn.com<mailto:robert@ahearn.com>> wrote:
Hi Al
Please forgive me, I am definitely a Snort noob and I'm feeling completely lost at \
the moment.
Basically, It looks like my installation of Snort is doing what it believes it is \
supposed to be doing but for some reason it is not flagging alerts on any packets. \
As per your run of the file, there should be.
The local.rules file is empty (besides the basic information) and I'm not sure on the \
exact rule to put in to look at all of the packets.
I am seeing a lot of warnings to do with flowbit keys while running Snort in Windows \
(or Linux). Could this be the issue? <image001.png>
Rob
From: Al Lewis (allewi) [mailto:allewi@cisco.com]
Sent: March 30, 2020 11:07 AM
To: Robert Rusnak <robert@ahearn.com<mailto:robert@ahearn.com>>; \
snort-users@lists.snort.org<mailto:snort-users@lists.snort.org>
Subject: Re: [Snort-users] Alert Output to CSV - File gets created but does not get \
populated with any data.
Hello Robert,
I tested this and it alerts and logs on some preprocessor events. A lot of the \
traffic in the pcap is discarded by snort (check your exit stats).
debian9@debian9:/var/tmp/snort-2.9.15$<mailto:debian9@debian9:/var/tmp/snort-2.9.15$> \
./bin/snort -c etc/snort.conf -r ~/Downloads/dump_data.pcap -l . -k none -q
debian9@debian9:/var/tmp/snort-2.9.15$<mailto:debian9@debian9:/var/tmp/snort-2.9.15$> \
ls bin etc include lib preproc_rules Rob_Snort_alert.csv share \
snort.log.1585580439 src
debian9@debian9:/var/tmp/snort-2.9.15$<mailto:debian9@debian9:/var/tmp/snort-2.9.15$> \
less etc/snort.conf | grep Rob output alert_csv: Rob_Snort_alert.csv default
Albert Lewis
ENGINEER.SOFTWARE ENGINEERING
Cisco Systems Inc.
Email: allewi@cisco.com<mailto:allewi@cisco.com>
From: Robert Rusnak <robert@ahearn.com<mailto:robert@ahearn.com>>
Date: Monday, March 30, 2020 at 10:56 AM
To: "Al Lewis (allewi)" <allewi@cisco.com<mailto:allewi@cisco.com>>, \
"snort-users@lists.snort.org<mailto:snort-users@lists.snort.org>" \
<snort-users@lists.snort.org<mailto:snort-users@lists.snort.org>>
Subject: RE: [Snort-users] Alert Output to CSV - File gets created but does not get \
populated with any data.
HI Al
I should be seeing Anonymous FTP login attempts (553) and buffer overflow attempts \
(1622). PacketTotal detects these on the trace file I'm using.
I will try your suggestion.
Thanks
Rob
(416) 847-4902
From: Al Lewis (allewi) <allewi@cisco.com<mailto:allewi@cisco.com>>
Sent: March 30, 2020 10:43 AM
To: Robert Rusnak <robert@ahearn.com<mailto:robert@ahearn.com>>; \
snort-users@lists.snort.org<mailto:snort-users@lists.snort.org>
Subject: Re: [Snort-users] Alert Output to CSV - File gets created but does not get \
populated with any data.
What alerts are you expecting?
The alerts output shows 0 so according to snort it didn't see any interesting \
traffic.
Try testing with an any to any rule.
Albert Lewis
ENGINEER.SOFTWARE ENGINEERING
Cisco Systems Inc.
Email: allewi@cisco.com<mailto:allewi@cisco.com>
From: Robert Rusnak <robert@ahearn.com<mailto:robert@ahearn.com>>
Date: Monday, March 30, 2020 at 10:36 AM
To: "Al Lewis (allewi)" <allewi@cisco.com<mailto:allewi@cisco.com>>, \
"snort-users@lists.snort.org<mailto:snort-users@lists.snort.org>" \
<snort-users@lists.snort.org<mailto:snort-users@lists.snort.org>>
Subject: RE: [Snort-users] Alert Output to CSV - File gets created but does not get \
populated with any data.
HI Al
Thanks for getting back to me.
The file I am testing with does contain data which should produce alerts (see \
attached). I have also tested with another capture that also should generate alerts \
but produces the same result.
Since I have tried this on 2 different Kali Linux versions and also Windows and \
getting the same results, I'm wondering if maybe there is something in the snort.conf \
(or other config file) which is preventing the detection or processing of the alerts?
Rob
From: Al Lewis (allewi) [mailto:allewi@cisco.com]
Sent: March 30, 2020 10:24 AM
To: Robert Rusnak <robert@ahearn.com<mailto:robert@ahearn.com>>; \
snort-users@lists.snort.org<mailto:snort-users@lists.snort.org>
Subject: Re: [Snort-users] Alert Output to CSV - File gets created but does not get \
populated with any data.
Hello Robert,
Based on the file you provided, your exit stats don't show any alerts so nothing \
will be output.
===============================================================================
Action Stats:
Alerts: 0 ( 0.000%)
Logged: 0 ( 0.000%)
Passed: 0 ( 0.000%)
You may want to create/enable something that would generate noisy traffic (i.e any to \
any rule).
Albert Lewis
ENGINEER.SOFTWARE ENGINEERING
Cisco Systems Inc.
Email: allewi@cisco.com<mailto:allewi@cisco.com>
From: Snort-users <snort-users-bounces@lists.snort.org<mailto:snort-users-bounces@lists.snort.org>> \
on behalf of Robert Rusnak \
<robert@ahearn.com<mailto:robert@ahearn.com>>
Date: Monday, March 30, 2020 at 10:17 AM
To: "snort-users@lists.snort.org<mailto:snort-users@lists.snort.org>" \
<snort-users@lists.snort.org<mailto:snort-users@lists.snort.org>>
Subject: [Snort-users] Alert Output to CSV - File gets created but does not get \
populated with any data.
PROBLEM DESCRIPTION:
I am trying to use Snort to output alerts to a csv file from a trace file \
(dump_data.pcap). The csv file (snort_alert.csv) is created but fails to populate \
with any data (file size = 0 bytes). I have tried to get this to work with both \
Windows 10 and Kali Linux only to have the same results. For simplicity sake let's \
look at fixing the issue in Windows (I suspect the Windows fix will also apply to \
Linux). I have spent the last two weeks attempting to get Snort installed and \
running properly but have not been able to find the solution through troubleshooting \
or research. Hopefully for you Gurus, this is a simple fix.
The attached Text file (Snort Info – Windows.txt) contains the information based on \
your " Good Question" FAQ.
The image file is a screenshot of the resultant output csv (snort_alert.csv) file \
that was created with a file size of 0 bytes.
Thank you
Robert Rusnak | System Administrator
Ahearn & Soper Inc. | proVision WMS
This e-mail is intended solely for the use of the individual to whom it is addressed.
This e-mail is intended solely for the use of the individual to whom it is addressed.
This e-mail is intended solely for the use of the individual to whom it is addressed.
This e-mail is intended solely for the use of the individual to whom it is \
addressed._______________________________________________ Snort-users mailing list
Snort-users@lists.snort.org<mailto:Snort-users@lists.snort.org>
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users
To unsubscribe, send an email to:
snort-users-leave@lists.snort.org<mailto:snort-users-leave@lists.snort.org>
Please visit http://blog.snort.org<http://blog.snort.org/> to stay current on all the \
latest Snort news!
Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette
This e-mail is intended solely for the use of the individual to whom it is addressed.
This e-mail is intended solely for the use of the individual to whom it is addressed.
[Attachment #3 (text/html)]
<html xmlns:v="urn:schemas-microsoft-com:vml" \
xmlns:o="urn:schemas-microsoft-com:office:office" \
xmlns:w="urn:schemas-microsoft-com:office:word" \
xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" \
xmlns="http://www.w3.org/TR/REC-html40"> <head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:Helvetica;
panose-1:2 11 6 4 2 2 2 2 2 4;}
@font-face
{font-family:Courier;
panose-1:2 7 4 9 2 2 5 2 4 4;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Impact;
panose-1:2 11 8 6 3 9 2 5 2 4;}
@font-face
{font-family:"Bauhaus 93";
panose-1:4 3 9 5 2 11 2 2 12 2;}
@font-face
{font-family:"Comic Sans MS";
panose-1:3 15 7 2 3 3 2 2 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p.msonormal0, li.msonormal0, div.msonormal0
{mso-style-name:msonormal;
mso-margin-top-alt:auto;
margin-right:0cm;
mso-margin-bottom-alt:auto;
margin-left:0cm;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
span.apple-converted-space
{mso-style-name:apple-converted-space;}
span.apple-tab-span
{mso-style-name:apple-tab-span;}
span.EmailStyle20
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:windowtext;
font-weight:normal;
font-style:normal;}
span.EmailStyle21
{mso-style-type:personal;
font-family:Courier;
color:windowtext;
font-weight:normal;
font-style:normal;}
span.EmailStyle23
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;
font-weight:normal;
font-style:normal;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-CA" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal"><span style="mso-fareast-language:EN-US">Hello \
Al<o:p></o:p></span></p> <p class="MsoNormal"><span \
style="mso-fareast-language:EN-US">Adding the rule to the local.rules fixed the \
issue. <o:p></o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US">Thank you very much for \
your help (and your patience).<o:p></o:p></span></p> <p class="MsoNormal"><span \
style="mso-fareast-language:EN-US"><o:p> </o:p></span></p> <p \
class="MsoNormal"><span style="mso-fareast-language:EN-US">Also a Thank you to \
everyone who contributed as well.<o:p></o:p></span></p> <p class="MsoNormal"><span \
style="mso-fareast-language:EN-US"><o:p> </o:p></span></p> <div>
<p class="MsoNormal"><span lang="EN-US" \
style="font-size:10.0pt;font-family:"Comic Sans \
MS"">Rob<o:p></o:p></span></p> <p class="MsoNormal"><span lang="EN-US" \
style="font-size:10.0pt;font-family:"Comic Sans MS"">(416) \
847-4902</span><span style="font-size:10.0pt;font-family:"Comic Sans \
MS""><o:p></o:p></span></p> </div>
<p class="MsoNormal"><span \
style="mso-fareast-language:EN-US"><o:p> </o:p></span></p> <div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b><span lang="EN-US">From:</span></b><span lang="EN-US"> Al \
Lewis (allewi) <allewi@cisco.com> <br>
<b>Sent:</b> March 30, 2020 6:07 PM<br>
<b>To:</b> Robert Rusnak <robert@ahearn.com><br>
<b>Cc:</b> snort-users@lists.snort.org<br>
<b>Subject:</b> Re: [Snort-users] Alert Output to CSV - File gets created but does \
not get populated with any data.<o:p></o:p></span></p> </div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><span lang="EN-US" style="font-family:Courier">Hello \
Robert,<o:p></o:p></span></p> <p class="MsoNormal"><span lang="EN-US" \
style="font-family:Courier"><o:p> </o:p></span></p> <p class="MsoNormal"><span \
lang="EN-US" style="font-family:Courier"> It may be best to \
start with the basics first before trying to tackle specific detection issues. \
</span><span lang="EN-US"><a \
href="http://manual-snort-org.s3-website-us-east-1.amazonaws.com/node28.html">http://m \
anual-snort-org.s3-website-us-east-1.amazonaws.com/node28.html</a><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" \
style="font-family:Courier"><o:p> </o:p></span></p> <p class="MsoNormal"><span \
lang="EN-US" style="font-family:Courier"> Create a local \
rule, something like <o:p></o:p></span></p>
<p class="MsoNormal" style="text-indent:36.0pt"><span lang="EN-US" \
style="font-family:Courier"><o:p> </o:p></span></p> <p class="MsoNormal" \
style="text-indent:36.0pt"><span lang="EN-US" style="font-family:Courier">"alert ip \
any any -> any any (msg:"ANY TO ANY"; sid:1000000)" \
<o:p></o:p></span></p> <p class="MsoNormal" style="text-indent:36.0pt"><span \
lang="EN-US" style="font-family:Courier"><o:p> </o:p></span></p> <p \
class="MsoNormal" style="text-indent:36.0pt"><span lang="EN-US" \
style="font-family:Courier">should alert on any IP traffic.<o:p></o:p></span></p> <p \
class="MsoNormal"><span lang="EN-US" \
style="font-family:Courier"><o:p> </o:p></span></p> <p class="MsoNormal"><span \
lang="EN-US" style="font-family:Courier"> Then start snort \
(include the option to disable checksums ‘-k none') using -r to read a pcap \
directly. <o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" \
style="font-family:Courier"><o:p> </o:p></span></p> <p class="MsoNormal" \
style="text-indent:36.0pt"><span lang="EN-US" style="font-family:Courier">i.e \
"./bin/snort -c etc/snort.conf -r etc/anytraffic.pcap -l . -k none \
-q"<o:p></o:p></span></p> <p class="MsoNormal" style="text-indent:36.0pt"><span \
lang="EN-US" style="font-family:Courier"><o:p> </o:p></span></p> <p \
class="MsoNormal" style="text-indent:36.0pt"><span lang="EN-US" \
style="font-family:Courier">You should see some alerts logged in the CSV file after \
generating the traffic. Check the alerts logged (listed in the exit \
stats).<o:p></o:p></span></p> <p class="MsoNormal"><span lang="EN-US" \
style="font-family:Courier"><o:p> </o:p></span></p> <p class="MsoNormal"><span \
lang="EN-US" style="font-family:Courier"><o:p> </o:p></span></p> <div>
<p class="MsoNormal"><b><span lang="EN-US" \
style="font-size:13.0pt;font-family:Courier;color:#1F497D">Albert \
Lewis</span></b><span lang="EN-US" style="color:black"><o:p></o:p></span></p> <p \
class="MsoNormal"><span lang="EN-US" \
style="font-size:12.0pt;font-family:Courier;color:#7F7F7F">ENGINEER.SOFTWARE \
ENGINEERING</span><span lang="EN-US" style="color:black"><o:p></o:p></span></p> <p \
class="MsoNormal"><span lang="EN-US" \
style="font-size:12.0pt;font-family:Courier;color:#999999">Cisco Systems \
Inc.</span><span lang="EN-US" style="color:black"><o:p></o:p></span></p> <p \
class="MsoNormal"><span lang="EN-US" \
style="font-family:Courier;color:#999999">Email: </span><span lang="EN-US" \
style="font-family:Courier;color:black"><a href="mailto:allewi@cisco.com"><span \
style="color:purple">allewi@cisco.com</span></a></span><span lang="EN-US" \
style="font-family:Courier;color:#4F81BD"><o:p></o:p></span></p> <p \
class="MsoNormal"><span lang="EN-US" style="color:black"><o:p> </o:p></span></p> \
</div> <p class="MsoNormal"><span lang="EN-US" \
style="font-family:Courier"><o:p> </o:p></span></p> <p class="MsoNormal"><span \
lang="EN-US" style="font-family:Courier"><o:p> </o:p></span></p> <div \
style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0cm 0cm 0cm"> <p \
class="MsoNormal"><b><span lang="EN-US" style="font-size:12.0pt;color:black">From: \
</span></b><span lang="EN-US" style="font-size:12.0pt;color:black">Robert Rusnak \
<<a href="mailto:robert@ahearn.com">robert@ahearn.com</a>><br> <b>Date: \
</b>Monday, March 30, 2020 at 5:28 PM<br> <b>To: </b>"Joel Esler (jesler)" \
<<a href="mailto:jesler@cisco.com">jesler@cisco.com</a>><br> <b>Cc: \
</b>"Al Lewis (allewi)" <<a \
href="mailto:allewi@cisco.com">allewi@cisco.com</a>>, "<a \
href="mailto:snort-users@lists.snort.org">snort-users@lists.snort.org</a>" \
<<a href="mailto:snort-users@lists.snort.org">snort-users@lists.snort.org</a>><br>
<b>Subject: </b>RE: [Snort-users] Alert Output to CSV - File gets created but does \
not get populated with any data.<o:p></o:p></span></p> </div>
<div>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
</div>
<p class="MsoNormal"><span lang="EN-US">Thanks Joel for the \
information.<o:p></o:p></span></p> <p class="MsoNormal"><span \
lang="EN-US"> <o:p></o:p></span></p> <div>
<p class="MsoNormal"><span lang="EN-US" \
style="font-size:10.0pt;font-family:"Comic Sans MS"">Rob</span><span \
lang="EN-US"><o:p></o:p></span></p> <p class="MsoNormal"><span lang="EN-US" \
style="font-size:10.0pt;font-family:"Comic Sans MS"">(416) \
847-4902</span><span lang="EN-US"><o:p></o:p></span></p> </div>
<p class="MsoNormal"><span lang="EN-US"> <o:p></o:p></span></p>
<div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b><span lang="EN-US">From:</span></b><span lang="EN-US"> Joel \
Esler (jesler) <<a href="mailto:jesler@cisco.com">jesler@cisco.com</a>> <br>
<b>Sent:</b> March 30, 2020 4:51 PM<br>
<b>To:</b> Robert Rusnak <<a \
href="mailto:robert@ahearn.com">robert@ahearn.com</a>><br> <b>Cc:</b> Al Lewis \
(allewi) <<a href="mailto:allewi@cisco.com">allewi@cisco.com</a>>; <a \
href="mailto:snort-users@lists.snort.org">snort-users@lists.snort.org</a><br> \
<b>Subject:</b> Re: [Snort-users] Alert Output to CSV - File gets created but does \
not get populated with any data.<o:p></o:p></span></p> </div>
</div>
<p class="MsoNormal"><span lang="EN-US"> <o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">Flowbit warnings should have nothing to do \
with CSV output.<o:p></o:p></span></p> <div>
<p class="MsoNormal"><span lang="EN-US"> <o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span lang="EN-US">Also, using PulledPork should resolve these \
flowbit errors.<o:p></o:p></span></p> <div>
<p class="MsoNormal" style="margin-bottom:12.0pt"><span lang="EN-US"><br>
<br>
<o:p></o:p></span></p>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<p class="MsoNormal"><span lang="EN-US">On Mar 30, 2020, at 3:55 PM, Robert Rusnak \
<<a href="mailto:robert@ahearn.com">robert@ahearn.com</a>> \
wrote:<o:p></o:p></span></p> </div>
<p class="MsoNormal"><span lang="EN-US"> <o:p></o:p></span></p>
<div>
<div>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D">Hi Al</span><span \
lang="EN-US"><o:p></o:p></span></p> </div>
<div>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D">Please forgive me, I am \
definitely a Snort noob and I'm feeling completely lost at the \
moment. </span><span lang="EN-US"><o:p></o:p></span></p> </div>
<div>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D"> </span><span \
lang="EN-US"><o:p></o:p></span></p> </div>
<div>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D">Basically, It looks \
like my installation of Snort is doing what it believes it is supposed to be doing \
but for some reason it is not flagging alerts on any packets. As per your run \
of the file, there should be.</span><span lang="EN-US"><o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D"> </span><span \
lang="EN-US"><o:p></o:p></span></p> </div>
<div>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D">The local.rules file is \
empty (besides the basic information) and I'm not sure on the exact rule to put in to \
look at all of the packets.</span><span lang="EN-US"><o:p></o:p></span></p> </div>
<div>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D"> </span><span \
lang="EN-US"><o:p></o:p></span></p> </div>
<div>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D">I am seeing a lot of \
warnings to do with flowbit keys while running Snort in Windows (or Linux). \
Could this be the issue?</span><span lang="EN-US"><o:p></o:p></span></p> </div>
<div>
<p class="MsoNormal"><span lang="EN-US"><image001.png><o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D"> </span><span \
lang="EN-US"><o:p></o:p></span></p> </div>
<div>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D">Rob</span><span \
lang="EN-US"><o:p></o:p></span></p> </div>
<div>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D"> </span><span \
lang="EN-US"><o:p></o:p></span></p> </div>
<div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0cm 0cm 0cm">
<div>
<p class="MsoNormal"><b><span lang="EN-US">From:</span></b><span \
class="apple-converted-space"><span lang="EN-US"> </span></span><span \
lang="EN-US">Al Lewis (allewi) [<a href="mailto:allewi@cisco.com"><span \
style="color:#954F72">mailto:allewi@cisco.com</span></a>]<span \
class="apple-converted-space"> </span><br> <b>Sent:</b><span \
class="apple-converted-space"> </span>March 30, 2020 11:07 AM<br> \
<b>To:</b><span class="apple-converted-space"> </span>Robert Rusnak <<a \
href="mailto:robert@ahearn.com"><span \
style="color:#954F72">robert@ahearn.com</span></a>>;<span \
class="apple-converted-space"> </span><a \
href="mailto:snort-users@lists.snort.org"><span \
style="color:#954F72">snort-users@lists.snort.org</span></a><br> <b>Subject:</b><span \
class="apple-converted-space"> </span>Re: [Snort-users] Alert Output to CSV - \
File gets created but does not get populated with any data.<o:p></o:p></span></p> \
</div> </div>
</div>
<div>
<p class="MsoNormal"><span lang="EN-US"> <o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span lang="EN-US" style="font-family:Courier">Hello \
Robert,</span><span lang="EN-US"><o:p></o:p></span></p> </div>
<div>
<p class="MsoNormal"><span lang="EN-US" \
style="font-family:Courier"> </span><span lang="EN-US"><o:p></o:p></span></p> \
</div> <div>
<p class="MsoNormal"><span lang="EN-US" \
style="font-family:Courier"> I tested this and it alerts and \
logs on some preprocessor events. A lot of the traffic in the pcap is discarded by \
snort (check your exit stats).</span><span lang="EN-US"><o:p></o:p></span></p> </div>
<div>
<p class="MsoNormal"><span lang="EN-US" \
style="font-family:Courier"> </span><span lang="EN-US"><o:p></o:p></span></p> \
</div> <div>
<p class="MsoNormal"><span lang="EN-US" style="font-family:Courier"><a \
href="mailto:debian9@debian9:/var/tmp/snort-2.9.15$"><span \
style="color:#954F72">debian9@debian9:/var/tmp/snort-2.9.15$</span></a><span \
class="apple-converted-space"> </span>./bin/snort
-c etc/snort.conf -r ~/Downloads/dump_data.pcap -l . -k none -q</span><span \
lang="EN-US"><o:p></o:p></span></p> </div>
<div>
<p class="MsoNormal"><span lang="EN-US" \
style="font-family:Courier"> </span><span lang="EN-US"><o:p></o:p></span></p> \
</div> <div>
<p class="MsoNormal"><span lang="EN-US" style="font-family:Courier"><a \
href="mailto:debian9@debian9:/var/tmp/snort-2.9.15$"><span \
style="color:#954F72">debian9@debian9:/var/tmp/snort-2.9.15$</span></a><span \
class="apple-converted-space"> </span>ls</span><span \
lang="EN-US"><o:p></o:p></span></p> </div>
<div>
<p class="MsoNormal"><span lang="EN-US" style="font-family:Courier">bin \
etc include lib preproc_rules Rob_Snort_alert.csv \
share snort.log.1585580439 src</span><span \
lang="EN-US"><o:p></o:p></span></p> </div>
<div>
<p class="MsoNormal"><span lang="EN-US" \
style="font-family:Courier"> </span><span lang="EN-US"><o:p></o:p></span></p> \
</div> <div>
<p class="MsoNormal"><span lang="EN-US" \
style="font-family:Courier"> </span><span lang="EN-US"><o:p></o:p></span></p> \
</div> <div>
<p class="MsoNormal"><span lang="EN-US" style="font-family:Courier"><a \
href="mailto:debian9@debian9:/var/tmp/snort-2.9.15$"><span \
style="color:#954F72">debian9@debian9:/var/tmp/snort-2.9.15$</span></a><span \
class="apple-converted-space"> </span>less etc/snort.conf | grep \
Rob</span><span lang="EN-US"><o:p></o:p></span></p> </div>
<div>
<p class="MsoNormal"><span lang="EN-US" style="font-family:Courier">output alert_csv: \
Rob_Snort_alert.csv default</span><span lang="EN-US"><o:p></o:p></span></p> </div>
<div>
<p class="MsoNormal"><span lang="EN-US" \
style="font-family:Courier"> </span><span lang="EN-US"><o:p></o:p></span></p> \
</div> <div>
<p class="MsoNormal"><span lang="EN-US" \
style="font-family:Courier"> </span><span lang="EN-US"><o:p></o:p></span></p> \
</div> <div>
<div>
<p class="MsoNormal"><b><span lang="EN-US" \
style="font-size:13.0pt;font-family:Courier;color:#1F497D">Albert \
Lewis</span></b><span lang="EN-US"><o:p></o:p></span></p> </div>
<div>
<p class="MsoNormal"><span lang="EN-US" \
style="font-size:12.0pt;font-family:Courier;color:#7F7F7F">ENGINEER.SOFTWARE \
ENGINEERING</span><span lang="EN-US"><o:p></o:p></span></p> </div>
<div>
<p class="MsoNormal"><span lang="EN-US" \
style="font-size:12.0pt;font-family:Courier;color:#999999">Cisco Systems \
Inc.</span><span lang="EN-US"><o:p></o:p></span></p> </div>
<div>
<p class="MsoNormal"><span lang="EN-US" \
style="font-family:Courier;color:#999999">Email: </span><span lang="EN-US" \
style="font-family:Courier"><a href="mailto:allewi@cisco.com"><span \
style="color:purple">allewi@cisco.com</span></a></span><span \
lang="EN-US"><o:p></o:p></span></p> </div>
<div>
<p class="MsoNormal"><span lang="EN-US"> <o:p></o:p></span></p>
</div>
</div>
<div>
<p class="MsoNormal"><span lang="EN-US" \
style="font-family:Courier"> </span><span lang="EN-US"><o:p></o:p></span></p> \
</div> <div>
<p class="MsoNormal"><span lang="EN-US" \
style="font-family:Courier"> </span><span lang="EN-US"><o:p></o:p></span></p> \
</div> <div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0cm 0cm \
0cm"> <div>
<p class="MsoNormal"><b><span lang="EN-US" style="font-size:12.0pt">From:<span \
class="apple-converted-space"> </span></span></b><span lang="EN-US" \
style="font-size:12.0pt">Robert Rusnak <<a href="mailto:robert@ahearn.com"><span \
style="color:#954F72">robert@ahearn.com</span></a>><br> <b>Date:<span \
class="apple-converted-space"> </span></b>Monday, March 30, 2020 at 10:56 AM<br> \
<b>To:<span class="apple-converted-space"> </span></b>"Al Lewis \
(allewi)" <<a href="mailto:allewi@cisco.com"><span \
style="color:#954F72">allewi@cisco.com</span></a>>, "<a \
href="mailto:snort-users@lists.snort.org"><span \
style="color:#954F72">snort-users@lists.snort.org</span></a>" <<a \
href="mailto:snort-users@lists.snort.org"><span \
style="color:#954F72">snort-users@lists.snort.org</span></a>><br> <b>Subject:<span \
class="apple-converted-space"> </span></b>RE: [Snort-users] Alert Output to CSV \
- File gets created but does not get populated with any data.</span><span \
lang="EN-US"><o:p></o:p></span></p> </div>
</div>
<div>
<div>
<p class="MsoNormal"><span lang="EN-US"> <o:p></o:p></span></p>
</div>
</div>
<div>
<p class="MsoNormal"><span lang="EN-US">HI Al<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span lang="EN-US"> <o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span lang="EN-US">I should be seeing Anonymous FTP login \
attempts (553) and buffer overflow attempts (1622).<o:p></o:p></span></p> </div>
<div>
<p class="MsoNormal"><span lang="EN-US">PacketTotal detects these on the trace file \
I'm using.<o:p></o:p></span></p> </div>
<div>
<p class="MsoNormal"><span lang="EN-US"> <o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span lang="EN-US">I will try your \
suggestion.<o:p></o:p></span></p> </div>
<div>
<p class="MsoNormal"><span lang="EN-US">Thanks<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span lang="EN-US"> <o:p></o:p></span></p>
</div>
<div>
<div>
<p class="MsoNormal"><span lang="EN-US" \
style="font-size:10.0pt;font-family:"Comic Sans MS"">Rob</span><span \
lang="EN-US"><o:p></o:p></span></p> </div>
<div>
<p class="MsoNormal"><span lang="EN-US" \
style="font-size:10.0pt;font-family:"Comic Sans MS"">(416) \
847-4902</span><span lang="EN-US"><o:p></o:p></span></p> </div>
</div>
<div>
<p class="MsoNormal"><span lang="EN-US"> <o:p></o:p></span></p>
</div>
<div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0cm 0cm 0cm">
<div>
<p class="MsoNormal"><b><span lang="EN-US">From:</span></b><span \
class="apple-converted-space"><span lang="EN-US"> </span></span><span \
lang="EN-US">Al Lewis (allewi) <<a href="mailto:allewi@cisco.com"><span \
style="color:#954F72">allewi@cisco.com</span></a>><span \
class="apple-converted-space"> </span><br> <b>Sent:</b><span \
class="apple-converted-space"> </span>March 30, 2020 10:43 AM<br> \
<b>To:</b><span class="apple-converted-space"> </span>Robert Rusnak <<a \
href="mailto:robert@ahearn.com"><span \
style="color:#954F72">robert@ahearn.com</span></a>>;<span \
class="apple-converted-space"> </span><a \
href="mailto:snort-users@lists.snort.org"><span \
style="color:#954F72">snort-users@lists.snort.org</span></a><br> <b>Subject:</b><span \
class="apple-converted-space"> </span>Re: [Snort-users] Alert Output to CSV - \
File gets created but does not get populated with any data.<o:p></o:p></span></p> \
</div> </div>
</div>
<div>
<p class="MsoNormal"><span lang="EN-US"> <o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span lang="EN-US" style="font-family:Courier">What alerts are \
you expecting?</span><span lang="EN-US"><o:p></o:p></span></p> </div>
<div>
<p class="MsoNormal"><span lang="EN-US" \
style="font-family:Courier"> </span><span lang="EN-US"><o:p></o:p></span></p> \
</div> <div>
<p class="MsoNormal"><span lang="EN-US" style="font-family:Courier">The alerts output \
shows 0 so according to snort it didn't see any interesting traffic.</span><span \
lang="EN-US"><o:p></o:p></span></p> </div>
<div>
<p class="MsoNormal"><span lang="EN-US" \
style="font-family:Courier"> </span><span lang="EN-US"><o:p></o:p></span></p> \
</div> <div>
<p class="MsoNormal"><span lang="EN-US" style="font-family:Courier">Try testing with \
an any to any rule.</span><span lang="EN-US"><o:p></o:p></span></p> </div>
<div>
<p class="MsoNormal"><span lang="EN-US" \
style="font-family:Courier"> </span><span lang="EN-US"><o:p></o:p></span></p> \
</div> <div>
<p class="MsoNormal"><span lang="EN-US" \
style="font-family:Courier"> </span><span lang="EN-US"><o:p></o:p></span></p> \
</div> <div>
<div>
<p class="MsoNormal"><b><span lang="EN-US" \
style="font-size:13.0pt;font-family:Courier;color:#1F497D">Albert \
Lewis</span></b><span lang="EN-US"><o:p></o:p></span></p> </div>
<div>
<p class="MsoNormal"><span lang="EN-US" \
style="font-size:12.0pt;font-family:Courier;color:#7F7F7F">ENGINEER.SOFTWARE \
ENGINEERING</span><span lang="EN-US"><o:p></o:p></span></p> </div>
<div>
<p class="MsoNormal"><span lang="EN-US" \
style="font-size:12.0pt;font-family:Courier;color:#999999">Cisco Systems \
Inc.</span><span lang="EN-US"><o:p></o:p></span></p> </div>
<div>
<p class="MsoNormal"><span lang="EN-US" \
style="font-family:Courier;color:#999999">Email: </span><span lang="EN-US" \
style="font-family:Courier"><a href="mailto:allewi@cisco.com"><span \
style="color:purple">allewi@cisco.com</span></a></span><span \
lang="EN-US"><o:p></o:p></span></p> </div>
<div>
<p class="MsoNormal"><span lang="EN-US"> <o:p></o:p></span></p>
</div>
</div>
<div>
<p class="MsoNormal"><span lang="EN-US" \
style="font-family:Courier"> </span><span lang="EN-US"><o:p></o:p></span></p> \
</div> <div>
<p class="MsoNormal"><span lang="EN-US" \
style="font-family:Courier"> </span><span lang="EN-US"><o:p></o:p></span></p> \
</div> <div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0cm 0cm \
0cm"> <div>
<p class="MsoNormal"><b><span lang="EN-US" style="font-size:12.0pt">From:<span \
class="apple-converted-space"> </span></span></b><span lang="EN-US" \
style="font-size:12.0pt">Robert Rusnak <<a href="mailto:robert@ahearn.com"><span \
style="color:#954F72">robert@ahearn.com</span></a>><br> <b>Date:<span \
class="apple-converted-space"> </span></b>Monday, March 30, 2020 at 10:36 AM<br> \
<b>To:<span class="apple-converted-space"> </span></b>"Al Lewis \
(allewi)" <<a href="mailto:allewi@cisco.com"><span \
style="color:#954F72">allewi@cisco.com</span></a>>, "<a \
href="mailto:snort-users@lists.snort.org"><span \
style="color:#954F72">snort-users@lists.snort.org</span></a>" <<a \
href="mailto:snort-users@lists.snort.org"><span \
style="color:#954F72">snort-users@lists.snort.org</span></a>><br> <b>Subject:<span \
class="apple-converted-space"> </span></b>RE: [Snort-users] Alert Output to CSV \
- File gets created but does not get populated with any data.</span><span \
lang="EN-US"><o:p></o:p></span></p> </div>
</div>
<div>
<div>
<p class="MsoNormal"><span lang="EN-US"> <o:p></o:p></span></p>
</div>
</div>
<div>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D">HI Al</span><span \
lang="EN-US"><o:p></o:p></span></p> </div>
<div>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D">Thanks for getting back \
to me.</span><span lang="EN-US"><o:p></o:p></span></p> </div>
<div>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D">The file I am testing \
with does contain data which should produce alerts (see attached).</span><span \
lang="EN-US"><o:p></o:p></span></p> </div>
<div>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D">I have also tested with \
another capture that also should generate alerts but produces the same \
result.</span><span lang="EN-US"><o:p></o:p></span></p> </div>
<div>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D"> </span><span \
lang="EN-US"><o:p></o:p></span></p> </div>
<div>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D"> </span><span \
lang="EN-US"><o:p></o:p></span></p> </div>
<div>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D">Since I have tried this \
on 2 different Kali Linux versions and also Windows and getting the same results, I'm \
wondering if maybe there is something in the snort.conf (or other config file) which \
is preventing the detection or processing of the alerts?</span><span \
lang="EN-US"><o:p></o:p></span></p> </div>
<div>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D"> </span><span \
lang="EN-US"><o:p></o:p></span></p> </div>
<div>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D"> </span><span \
lang="EN-US"><o:p></o:p></span></p> </div>
<div>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D">Rob</span><span \
lang="EN-US"><o:p></o:p></span></p> </div>
<div>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D"> </span><span \
lang="EN-US"><o:p></o:p></span></p> </div>
<div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0cm 0cm 0cm">
<div>
<p class="MsoNormal"><b><span lang="EN-US">From:</span></b><span \
class="apple-converted-space"><span lang="EN-US"> </span></span><span \
lang="EN-US">Al Lewis (allewi) [<a href="mailto:allewi@cisco.com"><span \
style="color:#954F72">mailto:allewi@cisco.com</span></a>]<span \
class="apple-converted-space"> </span><br> <b>Sent:</b><span \
class="apple-converted-space"> </span>March 30, 2020 10:24 AM<br> \
<b>To:</b><span class="apple-converted-space"> </span>Robert Rusnak <<a \
href="mailto:robert@ahearn.com"><span \
style="color:#954F72">robert@ahearn.com</span></a>>;<span \
class="apple-converted-space"> </span><a \
href="mailto:snort-users@lists.snort.org"><span \
style="color:#954F72">snort-users@lists.snort.org</span></a><br> <b>Subject:</b><span \
class="apple-converted-space"> </span>Re: [Snort-users] Alert Output to CSV - \
File gets created but does not get populated with any data.<o:p></o:p></span></p> \
</div> </div>
</div>
<div>
<p class="MsoNormal"><span lang="EN-US"> <o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span lang="EN-US" style="font-family:Courier">Hello \
Robert,</span><span lang="EN-US"><o:p></o:p></span></p> </div>
<div>
<p class="MsoNormal"><span lang="EN-US" \
style="font-family:Courier"> </span><span lang="EN-US"><o:p></o:p></span></p> \
</div> <div>
<p class="MsoNormal"><span lang="EN-US" \
style="font-family:Courier"> Based on the file you provided, \
your exit stats don't show any alerts so nothing will be output.</span><span \
lang="EN-US"><o:p></o:p></span></p> </div>
<div>
<p class="MsoNormal"><span lang="EN-US" \
style="font-family:Courier"> </span><span lang="EN-US"><o:p></o:p></span></p> \
</div> <div>
<p class="MsoNormal"><span lang="EN-US" \
style="font-family:Courier"> </span><span lang="EN-US"><o:p></o:p></span></p> \
</div> <div>
<p class="MsoNormal"><span lang="EN-US" \
style="font-family:Courier">===============================================================================</span><span \
lang="EN-US"><o:p></o:p></span></p> </div>
<div>
<p class="MsoNormal"><span lang="EN-US" style="font-family:Courier">Action \
Stats:</span><span lang="EN-US"><o:p></o:p></span></p> </div>
<div>
<p class="MsoNormal"><span lang="EN-US" \
style="font-family:Courier"> \
Alerts: 0 ( \
0.000%)</span><span lang="EN-US"><o:p></o:p></span></p> </div>
<div>
<p class="MsoNormal"><span lang="EN-US" \
style="font-family:Courier"> \
Logged: 0 ( \
0.000%)</span><span lang="EN-US"><o:p></o:p></span></p> </div>
<div>
<p class="MsoNormal"><span lang="EN-US" \
style="font-family:Courier"> \
Passed: 0 ( \
0.000%)</span><span lang="EN-US"><o:p></o:p></span></p> </div>
<div>
<p class="MsoNormal"><span lang="EN-US" \
style="font-family:Courier"> </span><span lang="EN-US"><o:p></o:p></span></p> \
</div> <div>
<p class="MsoNormal"><span lang="EN-US" \
style="font-family:Courier"> </span><span lang="EN-US"><o:p></o:p></span></p> \
</div> <div>
<p class="MsoNormal"><span lang="EN-US" \
style="font-family:Courier"> </span><span lang="EN-US"><o:p></o:p></span></p> \
</div> <div>
<p class="MsoNormal"><span lang="EN-US" style="font-family:Courier">You may want to \
create/enable something that would generate noisy traffic (i.e any to any \
rule).</span><span lang="EN-US"><o:p></o:p></span></p> </div>
<div>
<p class="MsoNormal"><span lang="EN-US" \
style="font-family:Courier"> </span><span lang="EN-US"><o:p></o:p></span></p> \
</div> <div>
<p class="MsoNormal"><span lang="EN-US" \
style="font-family:Courier"> </span><span lang="EN-US"><o:p></o:p></span></p> \
</div> <div>
<p class="MsoNormal"><span lang="EN-US" \
style="font-family:Courier"> </span><span lang="EN-US"><o:p></o:p></span></p> \
</div> <div>
<div>
<p class="MsoNormal"><b><span lang="EN-US" \
style="font-size:13.0pt;font-family:Courier;color:#1F497D">Albert \
Lewis</span></b><span lang="EN-US"><o:p></o:p></span></p> </div>
<div>
<p class="MsoNormal"><span lang="EN-US" \
style="font-size:12.0pt;font-family:Courier;color:#7F7F7F">ENGINEER.SOFTWARE \
ENGINEERING</span><span lang="EN-US"><o:p></o:p></span></p> </div>
<div>
<p class="MsoNormal"><span lang="EN-US" \
style="font-size:12.0pt;font-family:Courier;color:#999999">Cisco Systems \
Inc.</span><span lang="EN-US"><o:p></o:p></span></p> </div>
<div>
<p class="MsoNormal"><span lang="EN-US" \
style="font-family:Courier;color:#999999">Email: </span><span lang="EN-US" \
style="font-family:Courier"><a href="mailto:allewi@cisco.com"><span \
style="color:purple">allewi@cisco.com</span></a></span><span \
lang="EN-US"><o:p></o:p></span></p> </div>
<div>
<p class="MsoNormal"><span lang="EN-US"> <o:p></o:p></span></p>
</div>
</div>
<div>
<p class="MsoNormal"><span lang="EN-US" \
style="font-family:Courier"> </span><span lang="EN-US"><o:p></o:p></span></p> \
</div> <div>
<p class="MsoNormal"><span lang="EN-US" \
style="font-family:Courier"> </span><span lang="EN-US"><o:p></o:p></span></p> \
</div> <div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0cm 0cm \
0cm"> <div>
<p class="MsoNormal"><b><span lang="EN-US" style="font-size:12.0pt">From:<span \
class="apple-converted-space"> </span></span></b><span lang="EN-US" \
style="font-size:12.0pt">Snort-users <<a \
href="mailto:snort-users-bounces@lists.snort.org"><span \
style="color:#954F72">snort-users-bounces@lists.snort.org</span></a>> on behalf \
of Robert Rusnak <<a href="mailto:robert@ahearn.com"><span \
style="color:#954F72">robert@ahearn.com</span></a>><br> <b>Date:<span \
class="apple-converted-space"> </span></b>Monday, March 30, 2020 at 10:17 AM<br> \
<b>To:<span class="apple-converted-space"> </span></b>"<a \
href="mailto:snort-users@lists.snort.org"><span \
style="color:#954F72">snort-users@lists.snort.org</span></a>" <<a \
href="mailto:snort-users@lists.snort.org"><span \
style="color:#954F72">snort-users@lists.snort.org</span></a>><br> <b>Subject:<span \
class="apple-converted-space"> </span></b>[Snort-users] Alert Output to CSV - \
File gets created but does not get populated with any data.</span><span \
lang="EN-US"><o:p></o:p></span></p> </div>
</div>
<div>
<div>
<p class="MsoNormal"><span lang="EN-US"> <o:p></o:p></span></p>
</div>
</div>
<div>
<p class="MsoNormal"><span lang="EN-US">PROBLEM DESCRIPTION:<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span lang="EN-US">I am trying to use Snort to output alerts to \
a csv file from a trace file (dump_data.pcap). The csv file (snort_alert.csv) \
is created but fails to populate with any data (file size = 0 bytes). I have \
tried to get this to work with both Windows 10 and Kali Linux only to have the same \
results. For simplicity sake let's look at fixing the issue in Windows (I \
suspect the Windows fix will also apply to Linux). I have spent the last two \
weeks attempting to get Snort installed and running properly but have not been able \
to find the solution through troubleshooting or research. Hopefully for you \
Gurus, this is a simple fix.<o:p></o:p></span></p> </div>
<div>
<p class="MsoNormal"><span lang="EN-US"> <o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span lang="EN-US">The attached Text file (Snort Info – \
Windows.txt) contains the information based on your " Good Question" \
FAQ.<o:p></o:p></span></p> </div>
<div>
<p class="MsoNormal"><span lang="EN-US"> <o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span lang="EN-US">The image file is a screenshot of the \
resultant output csv (snort_alert.csv) file that was created with a file size of 0 \
bytes.<o:p></o:p></span></p> </div>
<div>
<p class="MsoNormal"><span lang="EN-US"> <o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span lang="EN-US">Thank you<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span lang="EN-US"> <o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><b><span lang="EN-US" \
style="font-size:10.0pt;font-family:"Arial",sans-serif">Robert Rusnak | \
System Administrator</span></b><span lang="EN-US"><o:p></o:p></span></p> </div>
<div>
<p class="MsoNormal"><span lang="EN-US" \
style="font-size:12.0pt;font-family:"Impact",sans-serif;color:#850021">Ahearn \
& Soper Inc.</span><span class="apple-converted-space"><b><span lang="EN-US" \
style="font-size:12.0pt;font-family:"Arial",sans-serif"> </span></b></span><b><span \
lang="EN-US" style="font-size:12.0pt;font-family:"Arial",sans-serif">|</span></b><span \
class="apple-converted-space"><span lang="EN-US" \
style="font-size:12.0pt;font-family:"Arial",sans-serif"> </span></span><span \
lang="EN-US" style="font-size:12.0pt;font-family:"Bauhaus \
93";color:#0D713E">proVision WMS</span><span \
lang="EN-US"><o:p></o:p></span></p> </div>
<div>
<p class="MsoNormal"><span lang="EN-US">This e-mail is intended solely for the use of \
the individual to whom it is addressed.<o:p></o:p></span></p> </div>
<div>
<p class="MsoNormal"><span lang="EN-US">This e-mail is intended solely for the use of \
the individual to whom it is addressed.<o:p></o:p></span></p> </div>
<div>
<p class="MsoNormal"><span lang="EN-US">This e-mail is intended solely for the use of \
the individual to whom it is addressed.<o:p></o:p></span></p> </div>
<p class="MsoNormal"><span lang="EN-US" \
style="font-size:9.0pt;font-family:"Helvetica",sans-serif">This e-mail is \
intended solely for the use of the individual to whom it is \
addressed._______________________________________________<br> Snort-users mailing \
list<br> </span><span lang="EN-US"><a href="mailto:Snort-users@lists.snort.org"><span \
style="font-size:9.0pt;font-family:"Helvetica",sans-serif;color:#954F72">Snort-users@lists.snort.org</span></a></span><span \
lang="EN-US" style="font-size:9.0pt;font-family:"Helvetica",sans-serif"><br>
Go to this URL to change user options or unsubscribe:<br>
</span><span lang="EN-US"><a \
href="https://lists.snort.org/mailman/listinfo/snort-users"><span \
style="font-size:9.0pt;font-family:"Helvetica",sans-serif;color:#954F72">https://lists.snort.org/mailman/listinfo/snort-users</span></a></span><span \
lang="EN-US" style="font-size:9.0pt;font-family:"Helvetica",sans-serif"><br>
<br>
<span class="apple-tab-span"> \
</span>To unsubscribe, send an email to:<br> <span \
class="apple-tab-span"> \
</span></span><span lang="EN-US"><a \
href="mailto:snort-users-leave@lists.snort.org"><span \
style="font-size:9.0pt;font-family:"Helvetica",sans-serif;color:#954F72">snort-users-leave@lists.snort.org</span></a></span><span \
lang="EN-US" style="font-size:9.0pt;font-family:"Helvetica",sans-serif"><br>
<br>
Please visit<span class="apple-converted-space"> </span></span><span \
lang="EN-US"><a href="http://blog.snort.org/"><span \
style="font-size:9.0pt;font-family:"Helvetica",sans-serif;color:#954F72">http://blog.snort.org</span></a></span><span \
class="apple-converted-space"><span lang="EN-US" \
style="font-size:9.0pt;font-family:"Helvetica",sans-serif"> </span></span><span \
lang="EN-US" style="font-size:9.0pt;font-family:"Helvetica",sans-serif">to \
stay current on all the latest Snort news!<br> <br>
Please follow these rules:<span \
class="apple-converted-space"> </span></span><span lang="EN-US"><a \
href="https://snort.org/faq/what-is-the-mailing-list-etiquette"><span \
style="font-size:9.0pt;font-family:"Helvetica",sans-serif;color:#954F72">htt \
ps://snort.org/faq/what-is-the-mailing-list-etiquette</span></a><o:p></o:p></span></p>
</div>
</blockquote>
</div>
<p class="MsoNormal"><span lang="EN-US"> <o:p></o:p></span></p>
</div>
<p class="MsoNormal"><span lang="EN-US">This e-mail is intended solely for the use of \
the individual to whom it is addressed. <o:p></o:p></span></p>
</div>
This e-mail is intended solely for the use of the individual to whom it is addressed.
</body>
</html>
_______________________________________________
Snort-users mailing list
Snort-users@lists.snort.org
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users
To unsubscribe, send an email to:
snort-users-leave@lists.snort.org
Please visit http://blog.snort.org to stay current on all the latest Snort news!
Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette
--===============6570535755415300271==--
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic