[Snort-users] Barnyard, ACID output

Steve Halligan agent33 at ...187...
Thu Jan 17 09:49:14 EST 2002


> I recently installed barnyard to handle the various Snort output 
> formats, but the documentation is a bit weak on a few points, so I've 
> had to do some trial-and-error work.
> 
> 1) Is the Unified log/alert format the only output I need to 
> specify in 
> snort.conf?

Yes.

> 5) My ACID database is receiving input from barnyard, but ALL the IP 
> addresses are backwards! Instead of "64.129.103.189", it lists the 
> source address as "189.103.129.64". What's up with that?
> 

I have found this to be true when using the snort.alert unified file, try
snort.log instead.

> 6) The ACID database no longer contains the packet 
> information like my 
> old configuration (straight from snort to ACID). Is this a 
> deficiency of 
> the Unified format logs?

See above.  You should get full packet details.

> 
> 7) What's the best startup configuration for snort to accomplish what 
> I'm doing? The command line execution call vs. snort.conf vs. 
> barnyard.conf relationship is very poorly documented, so it's hard to 
> figure out where/how to specify what. I currently have:

Commandline ALWAYS wins.  It overrides anything you put in the conf file.

> 
> 	daemon /usr/sbin/snort -u snort -g snort -l 
> /var/log/snort -d -D \
>                   -i $INTERFACE -c /etc/snort/snort.conf
> 
> in my snortd startup, and
> 
> 	/usr/local/bin/barnyard -c /etc/snort/barnyard.conf -d 
> /var/log/snort  \
>          -w /var/log/snort/alert.offset -g /etc/snort/gen-msg.map -s 
> /etc/snort/sid-msg.map -f \	   snort.alert &

I am using 
#snort -de -C -D -c /etc/snort/snort.conf
for snort
and
#barnyard -c /etc/snort/barnyard.conf -d /var/log/snort -f snort.log -w
/var/log/snort/barnwaldo -l
for barnyard.

> 
> for barnyard. Actually, how are most people getting barnyard 
> to launch? 

Working like a champ.

-Steve




More information about the Snort-users mailing list