Can I read the snort log in NIDS mode?

299    Asked by ranjan_6399 in SQL Server , Asked on Jan 17, 2022
I am reading some snort logs from a firewall, I could read some with "snort -r file" But when I had tried the newest logs I get this error: snort -r snort.log Running in packet dump mode --== Initializing Snort ==-- Initializing Output Plugins! pcap DAQ configured to read-file. ERROR: Can't initialize DAQ pcap (-1) - unknown file format Fatal Error, Quitting.. Probably the snort is running in NIDS mode, I don't know, I have barnyard into this system if help. Is there any material to help me understand and troubleshoot this problem?
Answered by Ranjana Admin
First of all, the option -r is related to analyzing .pcap files. That's why you came across this error output:

ERROR: Can't initialize DAQ pcap (-1) - unknown file format
To be able to capture the Snort log, you need to specify whether it will go to syslog or it will be stored in some desired file. Both options will need a monitor to read the latest logs generated (e.g.: the tail(1) can be your friend at that time.)

According to the snort(8) manpage:

-l: set the output log. By default is set to /var/snort/log;

-i: set the specific interface to sniff packets;

-s: send log to syslog;

-c: set the config file that contain the rules;

Example of use:
Capture logs from eth0:
./snort -i eth0 -c /etc/snort/snort.conf -l ./snort-eth0.log
Use tail -f ./snort-eth0.log on another console to look at the logs in real time. If you want to send to the syslog, just add the -s at the end of the snort command line.
Capture logs from snort running in Daemon mode:First, you need to know where snort is spitting the logs. To do this, check what was specified in the flag -l. If it is not specified, remember that the default path is /var/snort/log.ps -p $(pidof /opt/snort3/bin/snort) -f ..tail -f /var/snort/log

Your Answer

Interviews

Parent Categories