Output Issue

[roobixx]

When try to process a unified log file with u2json, all I get is the following:
Discarding non-event type while not in event context.
Discarding non-event type while not in event context.
Discarding non-event type while not in event context.
Discarding non-event type while not in event context.
Discarding non-event type while not in event context.
...

The command I am running is: sudo idstools-u2json --snort-conf /etc/snort/snort.conf unified2.log
and I know for a fact that data is in that file

Most likely an OE on my part but any help would be greatly appreciated

[jasonish]

Are you able to share this unified log file, or a portion of it?

[roobixx]

Not sure the best place to load it so I just put it on google drive

https://drive.google.com/file/d/0B81vhRROPiNyaWV3UEhSaG1RbWM/view?usp=sharing

[jasonish]

This unified has no event records in it. Its has a lot of packet records,
and some extra data records but lacks event records. You can verify these
using u2spewfoo (from Snort) idstools-u2spewfoo - both tools just dump the
contents record by record.

idstools-u2json requires an event record to get started. It will then
bundle the event record, and following packets and extra data into a JSON
representation of the event.

I'm curious how this file was generated, I've rarely seen this many packets
without any event records.

On Wed, Mar 11, 2015 at 2:31 PM, Tim Fowler notifications@github.com
wrote:

Not sure the best place to load it so I just put it on google drive

https://drive.google.com/file/d/0B81vhRROPiNyaWV3UEhSaG1RbWM/view?usp=sharing

—
Reply to this email directly or view it on GitHub
#17 (comment).

[roobixx]

Ahh ok!

I was having issues with snort not generating any alerts so I created a rule to basically captured everything. That is why you see so many packets

[jasonish]

Given the log file, the output was to be expected. Closing.