[Snort-users] Barnyard Options Help Needed!

Chris Eidem ceidem at ...5503...
Fri Dec 20 06:39:08 EST 2002


> 
> First, Snort creates two unified files; an alert and a log file.   
>  However, when I tell Barnyard to use the alert file (with -f), the 
> packet data is not sent to the database.   If I tell Barnyard 
> to use the 
> log file, nothing gets sent to the database.   The output 
> plugin used is 
> alert_acid_db, with the "detail full" setting.  How do I tell 
> Barnyard 
> to send alerts with full packet data to the database?
> 
> Secondly, I can't seem to figure how to get any of the other output 
> plugins to work.   I want to use alert_fast and log_pcap, but 
> the files 
> are not being created.   I've tried starting Barnyard with "-L 
> /var/log/snort" but this seems to do nothing.  I tried putting a 
> filename after the "output alert_fast" in the conf file, but then it 
> complains that it doesn't know about this plugin.   What am I 
> doing wrong?
> 

you could help us help you by sending your command lines and
barnyard.conf files.

hint, barnyard only processes one unified log file, so if you want to
look at both the alerts and the log, you need to run two instances of
barnyard, each with a different .conf file.

example (assuming that you are running snort to output to unified):

command lines:
barnyard -c barnyard-log.conf -f snort.log <rest of options>
barnyard -c barnyard-alert.conf -f snort.alert <rest of options>

barnyard-log.conf:
config hostname: snortbox
config interface: eth0
config filter: not port 22
processor dp_alert
processor db_log
processor db_stream_stat
output log_pcap
output log_acid_db: mysql, sensor_id 1, database snort, server
localhost, user snort, password snort

barnyard-log.conf:
config hostname: snortbox
config interface: eth0
config filter: not port 22
processor dp_alert
processor db_log
processor db_stream_stat
output alert_fast

remember, if you are asking for help, give information.  i haven't been
able to get libmindread.so to compile for years...

 - chris




More information about the Snort-users mailing list