[Snort-sigs] Unified output for barnyard

Bamm Visscher rvissche at ...1206...
Fri Sep 5 14:55:08 EDT 2003


First off, this is a question for
snort-users/snort-devel/barnyard-devel/barnyard-users NOT snort-sigs.

Unified log filenames and pcap filenames (snort -b) are both created as
snort.log.########### (where the ######### is a unix timestamp). So I am
guessing that you have some old pcap files in that dir, and since you
used snort.log.*, the first file the glob will give, is the oldest file
(probably a pcap file).  Try specifying a file you know is a unified out
file.

HINT: you don't want this one:
  bash-2.05b# file dailylogs/2003-08-31/snort.log.1062370801
  dailylogs/2003-08-31/snort.log.1062370801: tcpdump capture file
(little-endian) - version 2.4 (Ethernet, capture length 1514)

  The good one:
  bash-2.05b# file snort.log.1061213407
  snort.log.1061213407: 8086 relocatable (Microsoft)

Bammkkkk




On Fri, 2003-09-05 at 14:02, Michael Miller wrote:
> Snort.conf has the usual default output lines:
> 
>  output alert_unified: filename snort.alert, limit 128
>  output log_unified: filename snort.log, limit 128
> 
> Barnyard.conf is very basic:
> 
> processor dp_alert and processor dp_log are enabled.
> 
> When running a snortlog through barnyard, I get:
> 
> 
> scdlelinux01:/home/ids/logs/scdleids01 # barnyard -o -c
> /home/ids/rulesets/current/barnyard.conf -f ./snort.log.*
> 
> -*> Barnyard! <*-
> Version 0.1.0 (Build 17)
> By Andrew R. Baker (andrewb at ...95...)
> and Martin Roesch (roesch at ...435..., www.snort.org)
> 
> Loading Data Processors...
> dp_alert loaded
> dp_log loaded
> dp_stream_stat loaded
> Loading Built-in Output Plugins...
> Fast Alert plugin initialized
> AlertSyslog initialized
> Log Dump plugin initialized
> LogPcap initialized
> AlertCSV initialized
> Parsing Config file: /home/ids/rulesets/current/barnyard.conf
> Barnyard Version 0.1.0 (Build 17) started
> ERROR => No input plugin found for magic: a1b2c3d4
> Fatal Error, Quitting..
> Exiting
> scdlelinux01:/home/ids/logs/scdleids01 #
> 
> =============snip===========
> 
> I've seen this error a LOT in Google, and the respons has been 'get
> the
> latest version of snort'...well, I did, and I'm still getting the
> error.
> 
> 
> 
> 
> -------------------------------------------------------
> This sf.net email is sponsored by:ThinkGeek
> Welcome to geek heaven.
> http://thinkgeek.com/sf
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
-- 
Bamm (Robert) Visscher
Network Security Engineer
Ball Corp.
http://www.ball.com
rvissche at ...1206... 
210.240.5950 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20030905/b6e7dc9b/attachment.sig>


More information about the Snort-sigs mailing list