[Snort-devel] Barnyard & Snort
peleus at ...1667...
Mon Nov 18 16:18:02 EST 2002
I have made some changes to Barnyard's Fast Alert output to allow
it to more closely mimick Snort's Fast Alert output. The problem I had
with the existing format was that it was not compatible with SnortSnarf
and other utilities.
The changes are all in the op_fast.c file so you should just need
to place it in the barnyard_source/src/output-plugins/ directory and
recompile. I have made the file available for download at
http://www.peleus.net/snort/op_fast.c . I did not attach the file because
I did not want to get flamed over sending attachments on a mailing list.
In order to take advantage of the changes, you add the key word
Standard_Mode to the output alert_fast configuration line. For example:
output alert_fast: /var/log/snort/fast.alert Standard_Mode
The code defaults to Barnyard's existing format. All of the
changes are marked with tags /* ANONYMIZER CHANGE */ to make it easier for
the barnyard developers to audit the changes. My guess is they will need
to rename the references to "Standard" since that is a relative term.
The code has not been tested in multiple environments nor has it been
tested with all plugins so use at your own risk. Myself and Anonymizer
are not liable for any damages caused by using this code.
Known bugs include that it does not log detailed info on portscan2
attacks the same way Snort does. It is my understanding that Snort does
not record that information while in unified output mode.
I hope it works for you!
More information about the Snort-devel