[Snort-users] Barnyard, ACID output

a.h.s. boy spud at ...4557...
Thu Jan 17 08:13:24 EST 2002


I recently installed barnyard to handle the various Snort output 
formats, but the documentation is a bit weak on a few points, so I've 
had to do some trial-and-error work.

1) Is the Unified log/alert format the only output I need to specify in 
snort.conf?

2) I have barnyard configured to use fast alert output, but the argument 
to the output wants a "filename", and though I have "output alert_fast", 
it creates a file called "fast.alert" (notice the name difference), and 
it seems to create it in whatever folder I execute the barnyard binary 
from. I tried entering a full pathname, but it didn't like that format.

3) I have barnyard also set to use syslog output, and that works well. 
Then I use logcheck to email me hourly reports on snort-related traffic 
from syslog.

4) I have ACID output configured to go to a MySQL database. The output 
arguments are described vaguely in the .conf file, but one example in 
the file includes "detail full", though that isn't explained as a 
parameter to the output command. What is that specifying?

5) My ACID database is receiving input from barnyard, but ALL the IP 
addresses are backwards! Instead of "64.129.103.189", it lists the 
source address as "189.103.129.64". What's up with that?

6) The ACID database no longer contains the packet information like my 
old configuration (straight from snort to ACID). Is this a deficiency of 
the Unified format logs?

7) What's the best startup configuration for snort to accomplish what 
I'm doing? The command line execution call vs. snort.conf vs. 
barnyard.conf relationship is very poorly documented, so it's hard to 
figure out where/how to specify what. I currently have:

	daemon /usr/sbin/snort -u snort -g snort -l /var/log/snort -d -D \
                  -i $INTERFACE -c /etc/snort/snort.conf

in my snortd startup, and

	/usr/local/bin/barnyard -c /etc/snort/barnyard.conf -d 
/var/log/snort  \
         -w /var/log/snort/alert.offset -g /etc/snort/gen-msg.map -s 
/etc/snort/sid-msg.map -f \	   snort.alert &

for barnyard. Actually, how are most people getting barnyard to launch? 
It doesn't seem to create its own startup file, so I just hacked one 
together from my paltry understanding of init.d scripts.

Answers to any of these queries would educate me just that much more...

Cheers,
spud.

-------------------------------------------------------------------
a.h.s. boy
spud at ...4557...               "as yes is to if,love is to yes"
http://www.nothingness.org/
PGP Fingerprint: 7B5B 2E7A FA96 865A D9D9  5D6D 54CD D2C1 3429 56B4
-------------------------------------------------------------------





More information about the Snort-users mailing list