[Snort-users] snort-1.8.7 and alert file

Andrew R. Baker andrewb at ...950...
Sat Aug 3 08:43:02 EDT 2002


Michael Scheidell wrote:
>>Em Fri, Aug 02, 2002 at 10:56:57AM -0400, Michael Scheidell escreveu:
>>
>>>I have ended up needing one copy of snort (which outputs TWO unified files)
>>>and two copies of barnyard with two different config files.
>>>
>>>What I would want to do is to have snort create a unified file with both log
>>>and alerts in it.
>>
>>I don't understand these too. Doesn't log contain alerts as well?
>>
> 
> 
> a binary look at file (using beav) seems to indicate it keeps logs and
> alerts, so, yes, snort will put both in (i think) however, there is no way
> for me to double check this.  Daemon mode, one shot mode, special,
> specific barnyard.conf in one shot mode fails to produce any 'alerts' form
> log.* baryard unified files.
> 

Yes, unified log contains all the alert data associated with a packet 
log (and any tag reference information as well).  The original thinking 
was that people would want to see alerts in a more real-time manner than 
seeing packet logs.  Having the alert only unified file allows them to 
be processed much faster.

The fact that Barnyard will not (yet) generate alerts from the unified 
log output files (except for the database output plugin) is a known 
deficiency with Barnyard.  I curently run two instances of Barnyard on 
my systems.  1 to process alerts and 1 to process logs.    In version 
0.2 there will be a log_alert output plugin that will call the enabled 
alert output plugins while processing a unified log file.  I will be 
starting work on 0.2 once 0.1 is released (which is only waiting on me 
fixing the documentation).

-Andrew





More information about the Snort-users mailing list