[Snort-users] output options in barnyard

Steve Halligan giermo at ...187...
Wed Jul 31 15:29:04 EDT 2002


Damn, I just figured it out...
Alert_fast is an ALERT plugin.  If you don't have barnyard processing the
unified ALERT file you will get no alerts sent to alert_fast.

Is there any way to get a single instance of Barnyard to process snort.alert
and snort.log files?
the -f switch is where you specify the input filename, can you call -f
twice?
barnyard -d /var/log/snort -f snort.log -f snort.alert -L /var/log/barnyard
-c /etc/barnyard/barnyard.conf

Like that?

-steve
 
>> Chris Eidem wrote:
>> > I'm all confused, in barnyard.conf, alert_fast and log_pcap take an
>> > filename as an argument, but docs/USAGE states they do not.  I'm
>> > assuming that they don't since barnyard complains mightily 
>> if they're
>> > there.  Ok, so I don't add a file name, but then, what is 
>> written where?
>> > I've looked in ./, /var/log, /var/log/snort, but no joy.
>> 
>> 
>> The conf file is correct in this case.  What error is it 
>> giving when you 
>> specify a filename?
>> 
>
>andrew,
>
>here's the output from reload of the .conf file (shown bottom):
>
>root at ...3953... /usr/local/snort-beta$ kill -HUP 27669       
>AcidDbOpStop
>Reloading configuration
>Loading Data Processors...
>dp_alert loaded
>dp_log loaded
>root at ...3953... /usr/local/snort-beta$ dp_stream_stat loaded
>Loading Built-in Output Plugins...
>Fast Alert plugin initialized
>AlertSyslog initialized
>Log Dump plugin initialized
>LogPcap initialized
>AcidDb output plugin initialized
>AlertCSV initialized
>Parsing Config file: by-xl1.conf
>WARNING by-xl1.conf(8) => Unknown output plugin "alert_fast alert-xl1"
>referenced, ignoring!Args: mysql, sensor_id 1, database stest, server
>localhost, user snort, detail full, password snort
>WARNING ./classification.config(95): Duplicate classification
>"not-suspicious"found, ignoring this line
>
>...
>[similar './classification.config(X):' warnings deleted for brevity ]
>...
>
>Barnyard Version 0.1.0-rc2 (Build 11) started
>AcidDbOpStart
>OpAcidDB configuration details
>Database Flavour: mysql
>Detail Level: Full
>Database Server: localhost
>Database User: snort
>SensorID: 1
>AcidDbOpStart Complete
>
>
>
>barnyard.conf
>------------
>config hostname: cubanelle
>config localtime
>config interface: xl1
>config filter: not port 22
>processor dp_alert
>processor dp_log
>processor dp_stream_stat
>output alert_fast alert-xl1
>output log_pcap 
># output alert_acid_db: mysql, sensor_id 1, database stest, server
>localhost, user snort, password snort
>output log_acid_db: mysql, sensor_id 1, database stest, server
>localhost, user snort, detail full, password xxxxxxxxx
>
>thanks for your help,
> - chris
>
>
>-------------------------------------------------------
>This sf.net email is sponsored by: Dice - The leading online job board
>for high-tech professionals. Search and apply for tech jobs today!
>http://seeker.dice.com/seeker.epl?rel_code1
>_______________________________________________
>Snort-users mailing list
>Snort-users at lists.sourceforge.net
>Go to this URL to change user options or unsubscribe:
>https://lists.sourceforge.net/lists/listinfo/snort-users
>Snort-users list archive:
>http://www.geocrawler.com/redir-sf.php3?list=snort-users
>




More information about the Snort-users mailing list