GoogleCodeExporter
commented
9 years ago Can you run it with --debug ?Original comment by leon.j.w...@gmail.com on 16 May 2011 at 7:51
Open GoogleCodeExporter opened 9 years ago
GoogleCodeExporter
commented
9 years ago Can you run it with --debug ?Original comment by leon.j.w...@gmail.com on 16 May 2011 at 7:51
GoogleCodeExporter
commented
9 years ago Hi Leon,
Below what I get with --debug
infos@IDS:~/Build/snoge$ sudo ./snoge -v -c unified-example.conf --debug /var/
CONFIG: Input mode is : unified
CONFIG: sid-msg file is : /etc/snort/sid-msg.map
CONFIG: gen-msg file is : /etc/snort/gen-msg.map
CONFIG: Base filename is : /var/log/snort/snort.log
CONFIG: Ignoring Source : 80.68.89.43 208.100.37.101
CONFIG: Ignoring Destination :
CONFIG: Ignoring SIDs : 1421 1000000001 13948 12801
CONFIG: Updateinterval : 3 events
CONFIG: Maxplacemarks : 50
CONFIG: Maximum Statistics : 4000
CONFIG: Default location : rm-rf.co.uk
CONFIG: KMLOutputfile : /var/www/snoge/snoge.kml
CONFIG: Server Refresh : 5
CONFIG: waldo : /dev/null
CONFIG: Event Icon : warning.png
CONFIG: Sensor Icon : snorty.gif
CONFIG: Banner : snort-ge-banner.png
CONFIG: UpdateURL : http://10.2.1.13/snoge/snoge.kml
CONFIG: Defense Center : 192.168.222.20
CONFIG: Estreamer Port : 8302
CONFIG: Certfile : ./certfile.txt
CONFIG: Sensors : rm-rf.co.uk sourcefire.com
CONFIG: Image URL : http://rm-rf.co.uk/downloads/
CONFIG: classification file : /etc/snort/classification.config
- Default Latitude set to 54
- Default Longitude set to -2
- Defailt City - > United Kingdom
- Unified mode * Importing functions:
- Adding sensor rm-rf.co.uk in , United Kingdom
- Adding sensor sourcefire.com in Columbia, United States
- Now processing unified file(s).....
Died at ./snoge line 1089.
Original comment by bam...@gmail.com on 16 May 2011 at 7:55
GoogleCodeExporter
commented
9 years ago Go grab version 1.8, or even better update to the latest via SVN:
svn checkout http://snoge.googlecode.com/svn/trunk/ snoge-read-only
Original comment by leon.j.w...@gmail.com on 16 May 2011 at 8:16
GoogleCodeExporter
commented
9 years ago sorry typo mistake i actual have snoge-1.8Original comment by bam...@gmail.com on 16 May 2011 at 8:23
GoogleCodeExporter
commented
9 years ago Could you update to the SVN release anyway? The line numbers that are reporting
errors don't match with my version so its making it hard for me find where the
error could be.
-LOriginal comment by leon.j.w...@gmail.com on 16 May 2011 at 8:32
GoogleCodeExporter
commented
9 years ago Below is what I get with the new version
infos@IDS:~/Build/snoge-read-only$ sudo ./snoge.pl -v -c unified-example.conf --
debug /var
CONFIG: Input mode is : unified
CONFIG: sid-msg file is : /etc/snort/sid-msg.map
CONFIG: gen-msg file is : /etc/snort/gen-msg.map
CONFIG: Base filename is : /var/log/snort/snort.log
CONFIG: Ignoring Source : 80.68.89.43 208.100.37.101
CONFIG: Ignoring Destination :
CONFIG: Ignoring SIDs : 1421 1000000001 13948 12801
CONFIG: Event updateinterval : 100 events
CONFIG: Time updateinterval : 0 seconds
CONFIG: Maxplacemarks : 50
CONFIG: Maximum Statistics : 400
CONFIG: Default location : 80.68.89.43
CONFIG: KMLOutputfile : /var/www/snoge/snoge.kml
CONFIG: Server Refresh : 0
CONFIG: waldo : /dev/null
CONFIG: Event Icon : warning.png
CONFIG: Sensor Icon : snorty.gif
CONFIG: Banner : snort-ge-banner.png
CONFIG: UpdateURL : http://10.2.1.13/snoge/snoge.kml
CONFIG: Defense Center : 192.168.222.20
CONFIG: Estreamer Port : 8302
CONFIG: Certfile : ./certfile.txt
CONFIG: Sensors : 80.68.89.43
CONFIG: Image URL : http://rm-rf.co.uk/downloads/
CONFIG: classification file : /etc/snort/classification.config
- Default Latitude set to 54
- Default Longitude set to -2
- Defailt City - > United Kingdom
- Unified mode * Importing functions:
- Adding sensor 80.68.89.43 in , United Kingdom
- Now processing unified file(s).....
Died at ./snoge.pl line 1152.
Original comment by bam...@gmail.com on 16 May 2011 at 8:54
GoogleCodeExporter
commented
9 years ago Something could be "strange" with that unified file. Can you email it to me?Original comment by leon.j.w...@gmail.com on 16 May 2011 at 9:15
GoogleCodeExporter
commented
9 years ago # Snoge config file for plotting events onto google earth
# Contact leon.ward@sourcefire.com
#############################################
# Unified 1 example
#############################################
# Unified 1 Alert mode only supported not log.
mode=unified
# kmlfile: All modes.
#Location of the output kml file you want to create.
kmlfile=/var/www/snoge/snoge.kml
# sensors: All modes
# A space separated list of locations where a sensor is to be placed on the
map. Location is specified by IP address, the geoip DB will map this to
somewhere in the wo$
sensors=80.68.89.43
# basefilename: Unified1/Unified2 mode only.
# The *base* filename of the unified alert file that is to be processed.
Unified files have a epoch timestamp appended to them, don't specify that
timestamp, the code $
basefilename=/var/log/snort/snort.log
# classification: Unified1/Unifies2 modes only.
# Location of the classification.config file. This contains human readable
classtype mappings and priority data.
classification=/etc/snort/classification.config
# ignoresids: All modes
# A space separated list of sids that are to be ignored, or rather suppressed.
They will not be plotted as a placemark.
ignoresids=1421 1000000001 13948 12801
# imageurl: All modes
# Where can your image files be found? Images include event icons, and banner
imageurl=http://rm-rf.co.uk/downloads/
# sensoricon: All modes
# What icon would you like used for the sensor placemarks. This file name will
be appended to the image url
sensoricon=snorty.gif
# eventicon: All modes
# What icon would you like used for your event placemarks. This file name will
be appended to the image url
eventicon=warning.png
# waldo: Unified1/Unified2 modes only
# Location of a waldo file. This should be different to any other waldos you
already have for barnyard, tweetyard, etc. This file is used to track what
events have bee$
waldo=/dev/null
# sid-msg: Unidied1/Unified2 modes only
# Location of the sid-msg.map file. Used to translate a SID into an event
message
sid-msg=/etc/snort/sid-msg.map
# gen-msg: Unifies1/Unifies2 modea only
# Location of the gen-msg.map file. Used to translate a GID into a generator
name
gen-msg=/etc/snort/gen-msg.map
# ignoresource: All modes
# Space separated list of ip addresses to ignore events from where IP is the
src_addr
ignoresource=80.68.89.43 208.100.37.101
# ignoredestination: All modes
# Space separated list of ip addresses to ignore events from where IP is the
dest_addr
ignoredestination=
# maxplacemarks: All modes
# Maximum number of events to plot at one time. FIFO
maxplacemarks=50
# eventupdateinterval: All modes
# Update map, and create a new KML file every <eventupdateinterval> events.
Prevents heavy load on the process. 0 = every event
eventupdateinterval=100
# maxstats: All modes
# Maximum number of events to track for distribution bars. This can be greater
or less than maxplacemarks.
maxstats=400
# Use defult location instead
# defaultlongitude: If we cant find the event source (RFC1918?), where do we
put the event source
# defaultlongitude=0
# defaultlocation: All modes
# Where to place events where the source cannot be locationed (RFC1918?).
defaultlocation=80.68.89.43
# updateurl: Server files only.
# Used when creating a server KML file, where (URL) can the updated event kml
file be found.
updateurl=http://10.2.1.13/snoge/snoge.kml
# banner: Server file only
# Name of the image file to be used as a banner (imageurl/banner)
banner=snort-ge-banner.png
# refreshsecs: Server files only
# Used when creating a server KML file. How often do we reload an updated
dataset.
refreshsecs=0
Original comment by bam...@gmail.com on 16 May 2011 at 9:24
Original issue reported on code.google.com by
bam...@gmail.comon 16 May 2011 at 7:03