[Snort-devel] CSV problems output with snort and barnyard

Terry Vernon tvernon24 at ...2251...
Sun May 8 13:15:26 EDT 2005

Hello, trying to get what I need out of CSV output. Two topics:

software in use:
Snort 2.3.3
barnyard 0.2.0 build 32

The built in snort csv output works fine but I'd like to ask if there's 
a way to get the priority ID to be shown (wasn't in the list of options 
so I guess not without hacking the code) and what is an idea of how much 
slower is this method than the unified output to barnyard (packet loss 
on a gigabit network is a major concern)

Next question, in barnyard 0.2.0 build 32, what is the proper output 
processor to get it to do csv. I like the idea of letting barnyard 
handle this and it does include the priority (very important to what i'm 
doing) but when my file for output is created it actually creates the 
file with the plugin arguments in the file path (eg.  output alert_csv: 
srcip,sport,dstip,dport,protoname,priority) creates the file 
(which I don't understand, even threw in a \ line break and put the args 
on the next line, same problem). Not only this, but the output is 
something of 14 comma delimited fields that contains numbers i don't 
recognize, based on the recurrence of one of the numbers i guessed it 
was my own $HOME_NET ip but it was just a string of about 10 chars. Is 
this the proper format and I need something to convert this output to 
human readable form?

Also the alert_fast output option in the barnyard.conf file spits this 
error when uncommented:
WARNING /etc/snort/etc/barnyard.conf(42) => Unknown output plugin 
"alert_fast /var/www/html/alerts" referenced, ignoring!Fatal Error, 

./configure --prefix=/usr ; make ; make install on the snort
./configured barnyard with no args and make ; make install'ed fine. (had 
to manually copy the barnyard.conf to my /etc/snort/etc directory though)

running barnyard with:
barnyard -c /etc/snort/etc/barnyard.conf -d /var/log/snort -g 
/etc/snort/etc/gen-msg.map -s /etc/snort/etc/sid-msg.map -f snort.alert

running snort with:
snort -c /etc/snort/etc/snort.conf -D

Running on Fedora Core 3 (selinux default config)

Pulling my fscking hair out,
Terry Vernon

More information about the Snort-devel mailing list