SnoGE
Yes the name is new, and the code is updated.
Mike Guiterman persuaded me to take part in a Snort Users webex “Pimp My Snort”, this gave me a great excuse to update and document my old snort / google earth mash-up. I am now happy to present “SnoGE” (pronounced snoog-ie). An archive of the presentation is now available on snort.org
Automated display of Snort IPS events
Features
- Plots Snort IPS events onto Google Earth
- Supports Unified alert files (snort’s recommended output format)
- Auto-update KML file with new events
- Optional auto-refresh Google Earth do display latest attacks
- Highlight latest event on the map
- Represent top locations in the form of a bar (blue = city, green = country)
- Track location statistics along with attacks
- Multi-user capable
- Optional banner for custom branding
- Cool Eye-candy
They say a picture is worth a thousand words, so take a look at the image.
Snoge is now hosted and available on Google Code, head over here to download the latest release.
For help with SnoGE, and if you run into issues please go to http://code.google.com/p/snoge/issues/list
Snoge is a Snort unified reporting tool, it processes your unified files (that’s Snort’s output format), and represents them as place-marks on Google Earth. It can operate in a few modes, Real-time, refresh, and one-time.
Installation
As you may have guessed, SnoGE relies on quite a few external components, to get the system functioning you will need the following
- A Linux system (I’ve used Debian stable while developing, although it should work on other distributions)
- SnortUnified (perl module)
- Geo::IP::PurePerl (perl module)
- NetPacket::Ethernet (perl module)
- The Maxmind geoip database
- A Websever (for the auto update features)
1) Grab and extract the SnoGE tarball
Download here
2) Grab and install build / run requirements
lward@webexprep:~$ mkdir Build
lward@webexprep:~$ cd Build/
lward@webexprep:~/Build$ wget http://snort-unified-perl.googlecode.com/files/SnortUnified_Perl.20070927.tgz
lward@webexprep:~/Build$ tar -zxvf ./SnortUnified_Perl.20070927.tgz
lward@webexprep:~/Build$ cd snort-unified-perl/
lward@webexprep:~/Build/snort-unified-perl$ sudo cp SnortUnified.pm /usr/local/lib/perl/5.10.0
lward@webexprep:~/Build/snort-unified-perl$ cd
lward@webexprep:~$ sudo cpan “NetPacket::Ethernet”
lward@webexprep:~$ sudo cpan “Geo::IP::PurePerl”
lward@webexprep:~$ wget http://geolite.maxmind.com/download/geoip/database/GeoLiteCity.dat.gz
lward@webexprep:~$ gunzip ./GeoLiteCity.dat.gz
lward@webexprep:~$ sudo mkdir /usr/local/share/GeoIP
lward@webexprep:~$ sudo cp GeoLiteCity.dat /usr/local/share/GeoIP/
lward@webexprep:~$ sudo apt-get install apache2
3) Grab your unified Log files
If you have Snort already running on this system, you will likely find them in /var/log/snort/. Showing you how to get Snort working is far beyond the scope of this document.
Configuration
SnoGE’s configuration lives in a single config file, by default it’s called snoge.conf and it should only need some minor tweaks for your environment.
kmlfile=”/var/www/snoge/snoge.kml”
Google Earth reads KML files, therefore this is the output format of SnoGE. Opening a KML file will lead to its contents being plotted on your map. In my example above, I have a directory called “snoge” under /var/www. The user that runs the snoge on my system (lward) has write access to this location.
lward@webexprep:~/snoge$ sudo mkdir /var/www/snoge
lward@webexprep:~/snoge$ sudo chown lward /var/www/snoge/
basefilename=”/var/log/snort/snort.alert”
This base filename for your Unified alert files is set in your snort.conf. I, like most others, use the default snort.alert.
updateurl=”http://192.168.222.133/snoge/snoge.kml”
When run in auto-refresh mode, where can the updates be download from. The IP of my device is 192.168.222.136, and the directory I made earlier was called snoge
Usage
lward@webexprep:~/snoge$ ./snoge
I need a config file. Take a look at usage
* Snort unified -> Google Earth 1.5
leon.ward@sourcefire.com. No warranties are provided or are inferred to the accuracy or reliability of this code.
Use at your own risk.
-c or –config Specify config file
-v or –verbose Enable verbose mode
-o or –onetime One time run with a single unified file.
-r or –refresh Create a “server” KML file for automated updates
For our first try, lets do a simple one-time run through a unified alert file. I have one called /var/log/snort/snort.alert.1240856559
lward@webexprep:~/snoge$ ./snoge -c snoge.conf –onetime /var/log/snort/snort.alert.1240856559
Doing a single run
lward@webexprep:~/snoge$ ls /var/www/snoge/snoge.kml -l
-rw-r–r– 1 lward lward 61685 2009-07-20 09:56 /var/www/snoge/snoge.kml
lward@webexprep:~/snoge$
I now have a KML file to open in Google Earth. Because it’s being written to a location published by Apache, I can access it over the Internet from my OSX laptop. By typing in the URL
SnoGE plotting some events
“http://192.168.222.136/snoge/snoge.kml” into Firefox, Google Earth opens up the KML as expected. A screenshot of mine is on the right there –>.
Because this was a one-time run through, this file will never change. If you like the idea of keeping this file up to date with “current” events, we need to track what events have been plotted and keep looking for more events. Assuming you have configured the basefilename correctly, running snoge without the –onetime flag will keep the file up to date.
Verbose mode will inundate you with information for debugging, but in general snoge is a quiet beast.
lward@webexprep:~/snoge$ ./snoge -c snoge.conf
Every time you RE-OPEN the KML file, it will be up to date. Note that re-open is a key word here, if you want the system to auto-update itself you need to enable refresh mode.
Refresh mode uses a second KML file, and is simple to use. Firstly create your server KML file
lward@webexprep:~/snoge$ ./snoge -r /var/www/snoge/server.kml -c snoge.conf
Creating a server KML to serve event updates
Filename: /var/www/snoge/server.kml
Update interval: 10
ImageURL: http://rm-rf.co.uk/downloads/
Banner: snort-ge-banner.png
lward@webexprep:~/snoge$
Then, run snoge as before
lward@webexprep:~/snoge$ ./snoge -c snoge.conf
Rather than access the snoge.kml file from your google earth client, access the server.kml file instead.
Hi Leon,
I saw this on the SNORT webinar on the 24th. I am receiving an error. See info below:
This is a centos 5.3 with Perl 5.8.8.
[SNORT bin]# snoge -c /etc/snoge.conf
Died at /usr/local/bin/snoge line 910.
Here is my snoge.conf
Here is a listing of my /var/log/snort
[root@HQSNORT snort]# snoge snoge -c /etc/snoge.conf
Died at /usr/local/bin/snoge line 910.
[root@HQSNORT snort]# ls -la /var/log/snort
total 86748
drwxr-xr-x 2 snort snort 4096 Jul 31 13:43 .
drwxr-xr-x 16 root root 4096 Jul 31 04:05 ..
-rw-r–r– 1 root root 2056 Jul 30 14:26 barnyard.waldo
-rw-r–r– 1 root root 0 Jul 30 12:00 snort.log
-rw-r–r– 1 root root 1471757 Jul 30 13:33 snort.log.1248972337
-rw-r–r– 1 root root 0 Jul 30 13:48 snort.log.1248976109
-rw-r–r– 1 root root 87242382 Jul 31 06:14 snort.log.1248978071
-rw-r–r– 1 root root 0 Jul 31 08:39 snort.log.1249043978
Any thoughts
Thank you for your help
Dana
Dana Burrows
July 31, 2009 at 5:55 pm
Dana,
Did you get this working?
-Leon
leon
September 25, 2009 at 10:08 am
Hi Dana.
Snoge is failing to do two things for you.
1) Open up the latest unified log file to process
2) Nicely report *why* it is failing to open up the unified file.
Run Snoge in verbose mode(-v) and email me the output.
-L
leonward
August 4, 2009 at 4:33 pm
Is this supposed to open in Google Earth, or be embedded in the browser? Thanks
T Dub
August 7, 2009 at 4:45 pm
It will open in your local copy of Google Earth.
leonward
August 17, 2009 at 1:10 pm
[...] SnoGE – http://leonward.wordpress.com/snoge/ Snoge is a Snort unified reporting tool, it processes your unified files (that’s Snort’s output [...]
IPS and IDS Tools for Network Admin « Standalone Complex – Final Gig
September 18, 2009 at 8:04 am
I’m sure this is something simple…but how do I get Google Earth to recognize a kml file from a link?
It publishes to Apache the kml file. However, Google Earth’s browser function, IE, and Firefox all display a screen of XML instead of actually processing it.
Paul
November 5, 2009 at 12:21 am
What OS and browser are you using? What’s the suffix of your KML file set to?
leonward
November 6, 2009 at 11:55 am
Windows XP. As above…both IE 8 and Firefox 3 won’t open the kml in Google Earth. I also tried an XP laptop with Firefox with the same result. Both systems have Google Earth installed. The kml is registered to Google earth in the OS…so if I could download it instead of it displaying as XML it would load in Google Earth just like a local kml does…I checked the file types in Firefox and kml isn’t even defined so in theory it should ask me what to do but just displays it as xml code instead of loading up or asking to download.
Paul
November 7, 2009 at 1:53 am
Does SnoGE work with unified2 alerts or just unified?
famousjs
November 14, 2009 at 5:11 am
Hi, This is really a cool plugin, but does it work with the new unified files ? (unified2) ? It will be really cool if it does.
cam
February 4, 2010 at 8:58 pm
Not tested it. It the underlying snort-unified-perl library supports it might “just work”.
Try it out and let me know how/if it breaks.
-L
leonward
February 4, 2010 at 9:30 pm
UPDATED: Yes, SnoGE now works with unified2
leonward
May 25, 2010 at 2:13 pm
Hello
i am trying to install under CentOs 5.3 after doing all instaruction getting this error (below) , i have download and installed also load module but still error
any idea please advice
thanks
**********************error*********************
./snoge
Can’t locate Module/Load.pm in @INC (@INC contains: .. /usr/lib/perl5/site_perl/5.8.8/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.7/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.6/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.5/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.8 /usr/lib/perl5/site_perl/5.8.7 /usr/lib/perl5/site_perl/5.8.6 /usr/lib/perl5/site_perl/5.8.5 /usr/lib/perl5/site_perl /usr/lib/perl5/vendor_perl/5.8.8/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.7/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.6/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.5/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.8 /usr/lib/perl5/vendor_perl/5.8.7 /usr/lib/perl5/vendor_perl/5.8.6 /usr/lib/perl5/vendor_perl/5.8.5 /usr/lib/perl5/vendor_perl /usr/lib/perl5/5.8.8/i386-linux-thread-multi /usr/lib/perl5/5.8.8 . ..) at ./snoge line 35.
BEGIN failed–compilation aborted at ./snoge line 35.
[root@gfn-ids snoge]#
Tal
February 26, 2010 at 8:00 pm
As you pointed out already, it’s unable to find Module::Load. Something must have gone wrong with your install of that module. If you’re new to Perl, take a look at cpan.
leonward
February 26, 2010 at 9:17 pm
Thanks
In first place i didnt instal the right load module it have to be Module-Load-0.16 moudle
cheers
Tal
February 27, 2010 at 8:02 am
[...] leave a comment » The below tool and information has been superceded by Snoge. More info about Snoge is available at here. [...]
How to use the Snort – Google Earth KML report tool « An alchemists view from the bar
February 26, 2010 at 10:22 pm
hi leonward,what is the use of locating the attackers on the G Earth…. what kind of application can be developed using snoge
erric
March 9, 2010 at 6:10 pm
SnoGE is a data visualization tool. It provides a qualitative view of where the event sources are.
leonward
March 14, 2010 at 11:13 am
Hello,
I installed snoge and was able to run it on the example.csv, but when I try to run it on a unified file it returns the error :
Unified mode * Importing functions:
“meta_handlers” is not defined in %SnortUnified::EXPORT_TAGS at ./snoge line 305
Can’t continue after import errors at ./snoge line 305
Any idea on this one? I ran the verbose mode and it did not turn up anything of note. The only change I made to the snoge.conf file was uncommenting the unified mode and commenting the csv mode. Here is my setup:
Ubuntu 8.04
SnortUnified_Perl.20100308
snoge-1.7
I placed the SnortUnified_Perl files in /usr/local/lib/perl/5.8.8/SnortUnified/
I might try the older version of SnortUnified_Perl…
Brad
March 16, 2010 at 7:15 pm
The Jason has released an updated version of snort-unified-perl. The version of SnoGE in svn works with this version, and also works with unified2 files. I see that you have already tried with SnortUnified_Perl.20070927 with success.
If you get a chance, please take a look at the version in SVN, if it works for others ill roll it into a new version tarball.
-Leon
leonward
March 18, 2010 at 10:48 am
UPDATE: Using the SnortUnified_Perl.20070927 version worked…
Brad
March 16, 2010 at 7:28 pm
Hello
i have installed it and tried to run it at first time with command line as follow “./snoge -c snoge.conf -v -m unified -o /var/log/snort/snort.log.1269509132″
I get following error below
Please advice
Thanks
******************
Config: Input mode is unified
CONFIG: Creating output file ./snoge.kml
CONFIG: Adding a sensor for location rm-rf.co.uk
CONFIG: Adding a sensor for location sourcefire.com
CONFIG: Base filename is /var/log/snort/alert.ids
CONFIG: Classification.confg set to /etc/snort/classification.config
CONFIG: Ignoring SID 1421
CONFIG: Ignoring SID 1000000001
CONFIG: Ignoring SID 13948
CONFIG: Ignoring SID 12801
CONFIG: Images expected at http://rm-rf.co.uk/downloads/
CONFIG: Using snorty.gif as the event icon
CONFIG: Using warning.png as the event icon
CONFIG: Using waldo file /dev/null
Config: Sid-msg file is /etc/snort/sid-msg.map
CONFIG: gen-msg file is /etc/snort/gen-msg.map
CONFIG: Ignoring source ip 80.68.89.43
CONFIG: Maximum number of placemarks set to 50 events
CONFIG: Updateinterval set to 0 events
CONFIG: Maximum number of events to track in bars set to 4000
CONFIG: Default locarion set to rm-rf.co.uk.
- Default Latitude set to 53.9667
- Default Longitude set to -1.08330000000001
- Defailt City – > York United Kingdom
CONFIG: Default latitude for unknown location set to 53.9667
CONFIG: Update URL is http://x.x.x.119/snoge/snoge.kml for serverKML
CONFIG: Banner is snort-ge-banner.png in serverKML
CONFIG: Refreshing every 5
CONFIG: Defense Center IP is x.x.x.119
CONFIG: Defense Center Port is 8302
CONFIG: Defense Center SSL Cert is /home/lward/certfile.txt
Unified mode * Importing functions:
- Adding sensor rm-rf.co.uk in York, United Kingdom
- Adding sensor sourcefire.com in Columbia, United States
- Now processing unified file(s)…..
Working on single file /var/log/snort/snort.log.1269509132
unable to open /var/log/snort/snort.log.1269509132 at ./snoge line 1211.
Tal
March 27, 2010 at 2:14 pm
Maybe file permissions.
$ whoami
$ ls -l /var/log/snort/snort.log.1269509132
$ file /var/log/snort/snort.log.1269509132
Rather than track support issues here, please add to http://code.google.com/p/snoge/issues/list.
Thanks
-Leon
leonward
March 29, 2010 at 1:57 pm
Hello
Works Ubuntu 9.10
barnyard2
snoge-1.7
as using the output barnyard2 unified2, read above that SnortUnified_Perl.20070927 not support the conclusion unified2. Staged SnortUnified_Perl.20100308.
Run Snoge:. / Snoge -c snoge.conf -onetime (or -o) / var/log/snort/snort.u2.1269520880
Output error:
Can’t locate SnortUnified / Handlers.pm in @ INC (@ INC contains: .. / etc / perl / usr/local/lib/perl/5.10.0 / usr/local/share/perl/5.10.0 / usr / lib/perl5 / usr/share/perl5 / usr/lib/perl/5.10 / usr/share/perl/5.10 / usr / local / lib / site_perl. ..) at / usr/local/lib/perl/5.10.0 / SnortUnified.pm line 58.
BEGIN failed – compilation aborted at / usr/local/lib/perl/5.10.0/SnortUnified.pm line 58.
Compilation failed in require at. / Snoge line 36.
BEGIN failed – compilation aborted at. / Snoge line 36.
I tried verbose mode but it has not delivered.
Here are my pieces of executable and configuration files:
executable file:
use strict;
use warnings;
use Sys:: Hostname;
use Data:: Dumper;
use Socket;
use Geo:: IP:: PurePerl;
use Module:: Load;
use SnortUnified qw (: DEFAULT: meta_handlers);
my $ configFile = 0;
my $ UF_Data = ();
my $ record = ();
configuration file:
mode = “unified”
# Mode = “estreamer”
# Mode = “csv”
# Tested with unified 1 “Alert” output
# Kmlfile: Location of the output kml created by processing unified logs. This is not the location of the server file, take a look at the command line arguments to set that.
kmlfile = “/ var / www / snoge / snoge.kml”
# Sensors: A space separated list of “locations” where a sensor is to be placed on the map. Location is specified by IP address, the geoip DB will map this to somewhere in the world.
sensors = “rm-rf.co.uk sourcefire.com”
# Basefilename: The name of the unified alert file that is to be processed. Unified files have a epoch timestamp appended to them, don’t specify that timestamp, the code will work it out. If you do want to process a specific file, take a look at the command line “-o” argument.
basefilename = “/ var/log/snort/snort.u2″
How to solve the problem?
Thank you.
purgen
March 30, 2010 at 2:13 pm
Snoge 1.7 does not work with SnortUnified_Perl.20100308 (required for unified2 log support.
SnoGE 1.8 does indeed use SnortUnified_Perl.20100308 and supports unified2 files.
Let me know if it works for you.
leonward
March 31, 2010 at 9:54 am
Updated to Snoge-1.8, nothing happens
Writes an error:
- Cant find default location for “rm-rf.co.uk”!
Unknown mode. at. / snoge line 263, line 92.
tried to run in csv mode with option -m csv –onefile example.csv and unified mode. In both cases, the error one.
purgen
April 5, 2010 at 10:08 am
Purgen, I broke some stuff in 1.8. Apologies.
Checkout the latest code from SVN and it should work for you.
Note that the -m argument is deprecated.
e.g.
lward@lenny:~/code/snoge$ ./snoge -c csv-example.conf -o example.csv
CSV File mode (processing example.csv)
Processing CSV file example.csv…
KML file ./snoge.kml created.
lward@lenny:~/code/snoge$
To do a svn checkout, the following should work.
svn checkout http://snoge.googlecode.com/svn/trunk/ snoge-read-only
If you find any other problems, please raise an issue here -> http://code.google.com/p/snoge/issues/list.
Thank you.
leonward
April 5, 2010 at 12:02 pm
I had the same problem
“- Cant find default location for “rm-rf.co.uk”!
Unknown mode. at. / snoge line 263, line 92.”
updated from svn and now get this
root@snort:/usr/local/snoge-1.8.1# ./snoge -v -c snoge.conf -o /var/log/snort/snort.u2.1270543251 CONFIG: Input mode is : “unified”
CONFIG: sid-msg file is : /usr/local/snort/etc/sid-msg.map
CONFIG: gen-msg file is : /usr/local/snort/etc/gen-msg.map
CONFIG: Base filename is : /var/log/snort/snort.u2
CONFIG: Ignoring Source : 80.68.89.43
CONFIG: Ignoring Destination :
CONFIG: Ignoring SIDs : 1421 1000000001 13948 12801
CONFIG: Updateinterval : 0 events
CONFIG: Maxplacemarks : 50
CONFIG: Maximum Statistics : 4000
CONFIG: Default location : rm-rf.co.uk
CONFIG: KMLOutputfile : /var/www/snoge/snoge.kml
CONFIG: Server Refresh : 5
CONFIG: waldo : /dev/null
CONFIG: Event Icon : warning.png
CONFIG: Sensor Icon : snorty.gif
CONFIG: Banner : snort-ge-banner.png
CONFIG: UpdateURL : http://172.18.10.129/snoge/snoge.kml
CONFIG: Defense Center : 192.168.222.20
CONFIG: Estreamer Port : 8302
CONFIG: Certfile : ./certfile.txt
CONFIG: Sensors : rm-rf.co.uk sourcefire.com
CONFIG: Image URL : http://rm-rf.co.uk/downloads/
CONFIG: classification file : /usr/local/snort/etc/classification.config
- Default Latitude set to 53.9667
- Default Longitude set to -1.08330000000001
- Defailt City – > York United Kingdom
Unknown mode. at ./snoge line 260, line 77.
ma6oo
April 6, 2010 at 2:31 pm
The config file format has changed a little in 1.8 (note the lack of “”"). The file snoge.conf should no longer be in the release or in the repository, it was updated to become example-unified.conf.
Please post future problems on the googlecode page, it’s a nightmare tracking them to resolution in blog comments.
-Leon
leonward
April 6, 2010 at 2:43 pm
[...] a basic Snort installation and added Base and Barnyard. Base is not very fun to look at so we added Snoge, which is a way to output the originating location of network attacks to Google Earth. As you can [...]
Brad Poulton » Security Operations Center
April 9, 2010 at 5:06 am
Hello,
Please help with error below.
Works Ubuntu 10.10
barnyard2
snoge-1.8
I am getting this problem with unified, i have tested with csv and it works fine.
infos@IDS:~/Build/snoge$ ./snoge -c unified-example.conf –onefile /var/log/snort/snort.log.1304505368 -w /var/www/snoge/snoge.kml
- Unified mode * Importing functions:
Can’t locate SnortUnified/MetaData.pm in @INC (@INC contains: .. /etc/perl /usr/local/lib/perl/5.10.1 /usr/local/share/perl/5.10.1 /usr/lib/perl5 /usr/share/perl5 /usr/lib/perl/5.10 /usr/share/perl/5.10 /usr/local/lib/site_perl . ..) at ./snoge line 214, line 97.
Mohamed
May 10, 2011 at 9:04 am
Hi,
It looks like you need to install the unifed perl modules. Take a look here.
http://code.google.com/p/snort-unified-perl/
leonward
March 20, 2012 at 12:06 pm
Hello,
I’m using Ubuntu 10.10
When I tried to run this;
saat@saat:~/Desktop/snoge-1.8$ perl snoge -c snoge.conf –onefile example.csv -m csv -w /var/www/snoge/snoge.kml
The it show this;
Error opening /usr/local/share/GeoIP/GeoLiteCity.dat at /usr/local/share/perl/5.10.1/Geo/IP/PurePerl.pm line 183
how can I solve this problem?
zam
March 15, 2012 at 8:13 am
You need to download the geo ip database. Its covered in the installation docs. I suggest you take a look there.
leonward
March 15, 2012 at 12:39 pm
and also if I run this;
saat@saat:~/Desktop/snoge-1.8$ perl snoge -c snoge.conf -o /var/log/snort/snort.log.1331570196
it will show this;
Unknown mode. at snoge line 263, line 92.
anybody can help?
zam
March 15, 2012 at 10:13 am
What is relevant line in your snoge.conf?
leonward
March 15, 2012 at 12:35 pm
everything is like original file.
I just edit this part:
#defaultlocation=”rm-rf.co.uk” <– (only comment this line)
at line 92, the is only empty space after certfile line.
# Location for SSL certificate
certfile="/home/lward/certfile.txt";
(here is line 92)
zam
March 18, 2012 at 4:29 pm
Yeah I know what that is.
The format of the config file changed a long time ago and no longer requires “”. In fact it doesn’t handle them well. I can only assume you’ve managed to mix an old example.conf with a more recent version of snoge.
Included in the tarball are examples for CSV, unified, and also estreamer.
E.g.
[12:03:45]lward@largo~/code/snoge$ head -n 20 csv-example.conf
# Snoge config file for plotting events onto google earth
# See the README.config for details of all configuration elements.
#############################################
# CSV Example config file
#############################################
mode=csv
kmlfile=./snoge.kml
sensors=rm-rf.co.uk sourcefire.com
classification=/etc/snort/classification.config
sid-msg=/etc/snort/sid-msg.map
gen-msg=/etc/snort/gen-msg.map
imageurl=http://rm-rf.co.uk/downloads/
sensoricon=snorty.gif
-L
leonward
March 20, 2012 at 12:04 pm
ah. my bad.
I did not read the instruction and the comment over here http://code.google.com/p/snoge/wiki/Install
silly of me.
after I remove the quote (“”),
everything is working fine.
thanks leonward!
another things is,
how I want to make this script run automatically if there is new threat detected?
zam
March 20, 2012 at 12:35 pm
You need to use a parent/server KML file (I use the term interchangeably). Take a look at the install doc and the –parent switch, the server section of the unified-example.conf and the install wiki doc.
-L
leonward
March 20, 2012 at 2:13 pm