[Snort-users] Barnyard, ACID output
agent33 at ...187...
Thu Jan 17 09:49:14 EST 2002
> I recently installed barnyard to handle the various Snort output
> formats, but the documentation is a bit weak on a few points, so I've
> had to do some trial-and-error work.
> 1) Is the Unified log/alert format the only output I need to
> specify in
> 5) My ACID database is receiving input from barnyard, but ALL the IP
> addresses are backwards! Instead of "18.104.22.168", it lists the
> source address as "22.214.171.124". What's up with that?
I have found this to be true when using the snort.alert unified file, try
> 6) The ACID database no longer contains the packet
> information like my
> old configuration (straight from snort to ACID). Is this a
> deficiency of
> the Unified format logs?
See above. You should get full packet details.
> 7) What's the best startup configuration for snort to accomplish what
> I'm doing? The command line execution call vs. snort.conf vs.
> barnyard.conf relationship is very poorly documented, so it's hard to
> figure out where/how to specify what. I currently have:
Commandline ALWAYS wins. It overrides anything you put in the conf file.
> daemon /usr/sbin/snort -u snort -g snort -l
> /var/log/snort -d -D \
> -i $INTERFACE -c /etc/snort/snort.conf
> in my snortd startup, and
> /usr/local/bin/barnyard -c /etc/snort/barnyard.conf -d
> /var/log/snort \
> -w /var/log/snort/alert.offset -g /etc/snort/gen-msg.map -s
> /etc/snort/sid-msg.map -f \ snort.alert &
I am using
#snort -de -C -D -c /etc/snort/snort.conf
#barnyard -c /etc/snort/barnyard.conf -d /var/log/snort -f snort.log -w
> for barnyard. Actually, how are most people getting barnyard
> to launch?
Working like a champ.
More information about the Snort-users