[Snort-devel] Barnyard-0.1.0-beta2 available

Martin Roesch roesch at ...402...
Fri Aug 31 13:29:46 EDT 2001


The intial Barnyard release is available at
http://www.snort.org/downloads/barnyard-0.1.0-beta2.tar.gz.  

Barnyard can process data produced by the spo_unified output plugin and
reformat that data into any output format.  Currently, spo_unified
supports two output types, alert (event) and log.  The alert output
contains just the critical information about an event such as the IPs
and ports, rule information, classification and priority.  The log
output type contains the event information (rule id, classification,
event ID and reference, etc) plus the full packet log.

There are currently two output plugins that can take advantage of this
data and demonstrate the capabilities of barnyard.  The "op_fast" plugin
generates output that's an analog of the output generated by the
alert_fast Snort output plugin.  It generates a summary of an event
based on the data coming out of the unified alert file.  The
"op_logdump" plugin can read the unified log format and will give a dump
of the event information plus the full packet dump, similar to Snort's
ASCII log output.

If you're going to use Barnyard you need to upgrade to build 77 from CVS
(or the daily tarball on snort.org).  We've made some changes and
improvements to the spo_unified code over the past two weeks that make
this upgrade necessary to use the system to best effect.  

Barnyard has been tested on Linux, FreeBSD and OpenBSD on x86 so far, so
we're not quite sure what's going to happen on big endian machines or
other CPUs at this point.  YMMV, use at your own risk, etc.  Anyone who
develops patches for ports to other platforms please submit them to
myself or Andrew Baker <andrewb at ...81...>.

Output plugin authors should take a look at the system architecture and
the output plugin templates found in the 'templates' directory.  This is
really the direction that Snort will be headed in the future, so you
guys should start thinking about transitioning your stuff over sooner
rather than later.

We're working on setting up a new project at Sourceforge to manage
development and coordinate Barnyard resources, but for now we'll keep
the mail on snort-[users|dev] and distribute everything off of
snort.org.

Thanks go out to Andrew Baker <andrewb at ...81...> and Chris Green
<cmg at ...81...> who really helped my get this thing off the ground!

     -Marty

--
Martin Roesch
roesch at ...402...
http://www.sourcefire.com - http://www.snort.org




More information about the Snort-devel mailing list