[Snort-sigs] Unified output for barnyard
rvissche at ...1206...
Fri Sep 5 14:55:08 EDT 2003
First off, this is a question for
snort-users/snort-devel/barnyard-devel/barnyard-users NOT snort-sigs.
Unified log filenames and pcap filenames (snort -b) are both created as
snort.log.########### (where the ######### is a unix timestamp). So I am
guessing that you have some old pcap files in that dir, and since you
used snort.log.*, the first file the glob will give, is the oldest file
(probably a pcap file). Try specifying a file you know is a unified out
HINT: you don't want this one:
bash-2.05b# file dailylogs/2003-08-31/snort.log.1062370801
dailylogs/2003-08-31/snort.log.1062370801: tcpdump capture file
(little-endian) - version 2.4 (Ethernet, capture length 1514)
The good one:
bash-2.05b# file snort.log.1061213407
snort.log.1061213407: 8086 relocatable (Microsoft)
On Fri, 2003-09-05 at 14:02, Michael Miller wrote:
> Snort.conf has the usual default output lines:
> output alert_unified: filename snort.alert, limit 128
> output log_unified: filename snort.log, limit 128
> Barnyard.conf is very basic:
> processor dp_alert and processor dp_log are enabled.
> When running a snortlog through barnyard, I get:
> scdlelinux01:/home/ids/logs/scdleids01 # barnyard -o -c
> /home/ids/rulesets/current/barnyard.conf -f ./snort.log.*
> -*> Barnyard! <*-
> Version 0.1.0 (Build 17)
> By Andrew R. Baker (andrewb at ...95...)
> and Martin Roesch (roesch at ...435..., www.snort.org)
> Loading Data Processors...
> dp_alert loaded
> dp_log loaded
> dp_stream_stat loaded
> Loading Built-in Output Plugins...
> Fast Alert plugin initialized
> AlertSyslog initialized
> Log Dump plugin initialized
> LogPcap initialized
> AlertCSV initialized
> Parsing Config file: /home/ids/rulesets/current/barnyard.conf
> Barnyard Version 0.1.0 (Build 17) started
> ERROR => No input plugin found for magic: a1b2c3d4
> Fatal Error, Quitting..
> scdlelinux01:/home/ids/logs/scdleids01 #
> I've seen this error a LOT in Google, and the respons has been 'get
> latest version of snort'...well, I did, and I'm still getting the
> This sf.net email is sponsored by:ThinkGeek
> Welcome to geek heaven.
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
Bamm (Robert) Visscher
Network Security Engineer
rvissche at ...1206...
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 189 bytes
Desc: This is a digitally signed message part
More information about the Snort-sigs