5

I am reading some snort logs from a firewall, I could read some with "snort -r file"

But when I had tried the newest logs I get this error:

snort -r snort.log

Running in packet dump mode

   --== Initializing Snort ==--

Initializing Output Plugins! pcap DAQ configured to read-file.

ERROR: Can't initialize DAQ pcap (-1) - unknown file format

Fatal Error, Quitting..

Probably the snort is running in NIDS mode, I don't know, I have barnyard into this system if help. Is there any material to help me understand and troubleshoot this problem?

Thank you!

bugsam
  • 61
  • 1
  • 1
  • 5
  • When I Google your error, it appears to be a local snort install issue. Has your snort environment changed? Can you open the previous router logs without an error? – schroeder Sep 05 '16 at 15:48
  • I'm not sure if the environment has changed, in true I'm doing an forensic investigation. The firewall is server in Linux Red Hat, others logs I can read normally. I had tried open this logs with wireshark, but I failed too. – bugsam Sep 05 '16 at 16:48

2 Answers2

1

I figured out that problem is about the format of snort output, the logs that I could read is alert logging, the logs that I can't read area unified2.

Unified2 can work in one of three modes, packet logging, alert logging, or true unified logging. Packet logging includes a capture of the entire packet and is specified with log_unified2. Likewise, alert logging will only log events and is specified with alert unified2. To include both logging styles in a single, unified file, simply specify unified2.

https://www.snort.org/faq/readme-unified2

Thx

bugsam
  • 61
  • 1
  • 1
  • 5
0

First of all, the option -r is related to analyze .pcap files. That's why you came across this error output:

ERROR: Can't initialize DAQ pcap (-1) - unknown file format

To be able to capture the Snort logs, you need to specify whether it will go to syslog or it will be stored in some desired file. In both options will need a monitor to read the latest logs generated (e.g.: the tail(1) can be your friend at that time.)

According to the snort(8) manpage:

-l: set the output log. By default is set to /var/snort/log;

-i: set the specific interface to sniff packets;

-s: send log to syslog;

-c: set the config file that contain the rules;


Example of use:

Capture logs from eth0:

./snort -i eth0 -c /etc/snort/snort.conf -l ./snort-eth0.log

Use tail -f ./snort-eth0.log on another console to look at the logs in real time. If you want to send to the syslog, just add the -s at the end of the snort command line.

Capture logs from snort running in Daemon mode:

First, you need to know where snort is spitting the logs. To do this, check what was specified in the flag -l. If it is not specified, remember that the default path is /var/snort/log.

ps -p $(pidof /opt/snort3/bin/snort) -f
...
tail -f /var/snort/log
slayer
  • 402
  • 3
  • 14