[Snort-users] barnyard, alerts, logs and acid

Chris Eidem ceidem at ...5503...
Fri Aug 2 08:58:03 EDT 2002


> -*> Snort! <*-
> Version 1.8.7 (Build 128)
> 
> -*> Barnyard! <*-
> Version 0.1.0-rc2 (Build 11)
> 
> acid-0.9.6b22 from cvs (yesterday)
> 

so far so good.

> Acid isn't showing any alerts picked up and inserted by barnyard.
> 
> I have that version of snort using:
> output alert_unified: filename snort.unified.alert, limit 64
> output log_unified: filename snort.unified.log, limit 64
> 
> barnyard.conf has:
> config hostname: myhost.localnet
> config interface: eth0
> processor dp_alert
> processor dp_log
> output alert_acid_db: mysql, sensor_id 1, database snort, 
> server localhost, user snort, password mypass, detail full
> output log_acid_db: mysql, sensor_id 1, database snort, 
> server localhost, user snort, password mypass, detail full
> 

you don't really need both. it is my understanding that log_acid_db
contains all the infor that alert_acid_db has.

> Now, the command-line:
> barnyard -c /etc/snort/barnyard.conf -d 
> /var/log/snort/barnyard/ -s /etc/snort/sid-msg.map -f 
> snort.unified.alert
> 
> Which bunch of files should be processed first? alert or log? 
> Should there be two
> instances of barnyard?
> Doesn't log include alert? What happened is that barnyard 
> inserted lots of data
> into acid, but acid wouldn't show it. The main page showed 
> some percentages regarding
> tcp, udp and icmp, but it didn't actually had any alerts. All 
> searches and queries
> would end up with zero alerts in the database.

it looks like your messages are there but they don't have a sensor id in
the database records.  do a "SELECT * FROM sensor;" and see if you have
any records.  if you don't, do a 

"insert into sensor values('1','test','doodle doodle dee','NULL',1,0);"

that should do it.


hope that helps,
 - chris




More information about the Snort-users mailing list