[Snort-users] barnyard, alerts, logs and acid

Andreas Hasenack andreas at ...1574...
Fri Aug 2 06:47:22 EDT 2002


-*> Snort! <*-
Version 1.8.7 (Build 128)

-*> Barnyard! <*-
Version 0.1.0-rc2 (Build 11)

acid-0.9.6b22 from cvs (yesterday)

Acid isn't showing any alerts picked up and inserted by barnyard.

I have that version of snort using:
output alert_unified: filename snort.unified.alert, limit 64
output log_unified: filename snort.unified.log, limit 64

barnyard.conf has:
config hostname: myhost.localnet
config interface: eth0
processor dp_alert
processor dp_log
output alert_acid_db: mysql, sensor_id 1, database snort, server localhost, user snort, password mypass, detail full
output log_acid_db: mysql, sensor_id 1, database snort, server localhost, user snort, password mypass, detail full

Now, the command-line:
barnyard -c /etc/snort/barnyard.conf -d /var/log/snort/barnyard/ -s /etc/snort/sid-msg.map -f snort.unified.alert

Which bunch of files should be processed first? alert or log? Should there be two
instances of barnyard?
Doesn't log include alert? What happened is that barnyard inserted lots of data
into acid, but acid wouldn't show it. The main page showed some percentages regarding
tcp, udp and icmp, but it didn't actually had any alerts. All searches and queries
would end up with zero alerts in the database.

Any tips would be appreciated.





More information about the Snort-users mailing list