On 11/6/15 5:47 PM, Sergii Cherkashyn wrote:
Thank you John, but it doesn't seem to work.
I can download the archive file, but inside it has Barnyard2 folder with
int.waldo files in it and three more files - int.stats, alert and some
snort_randomnumber file. none of them seems to be in pcap format and
contain the pattern of the traffic that triggered the alert.
I haven't used Barnyard2 so I'm not sure what's in there and since I
haven't enabled it, that folder is empty in my download file.
In the tar file are files with a name snort.log.unix-timestamp. These
are pcap files that can be opened with something like Wireshark or
tcpdump. The alert files are the alerts in csv format.
This must be documented somewhere but I don't know where. I just
browsed through these files to figure this out.
You might already be aware of this but just in case. The files do not
have filename extensions so you need to explicitly open the files if you
are looking at them under Windows or Mac OS e.g. right-click then Open
with or start Wireshark then open the files from the File Open dialog.
-
John J.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold
