[Snort-users] barnyard

James Ashton admin at ...6022...
Sun Jun 9 21:57:02 EDT 2002


Im Back  

I am attempting to get barnyard working. I am running:
 ./barnyard -o -c /etc/snort/barnyard -d /var/log/snort -f snort.alert.17326~

Here is the screan outpur I get:

Loading Data Processors...
dp_alert loaded
dp_log loaded
dp_stream_stat loaded
Loading Built-in Output Plugins...
Fast Alert plugin initialized
AlertSyslog initialized
Log Dump plugin initialized
LogPcap initialized
AlertCSV initialized
Parsing Config file: /etc/snort/barnyard.conf
WARNING /etc/snort/barnyard.conf(153) => Unknown output plugin "alert_acid_db" referenced, ignoring!ERROR => 
Unable to open SID file "/etc/snort/sid-msg.map": No such file or directory
Barnyard Version 0.1.0-beta7 (Build 10) started
Number of records:  56
Exiting

Here is Barnyard.conf

#-------------------------------------------------------------
#   http://www.snort.org    Barnyard 0.1.0 configuration file
#          Contact: snort-barnyard at lists.sourceforge.net
#-------------------------------------------------------------
# $Id: barnyard.conf,v 1.17 2002/05/27 15:06:10 andrewb Exp $
########################################################
# Currently you want to do two things in here: turn on
# available data processors and turn on output plugins.
# The data processors (dp's) and output plugin's (op's)
# automatically associate with each other by type and
# are automatically selected at run time depending on
# the type of file you try to load.
########################################################

# Step 0: configuration declarations
# To keep from having a commandline that uses every letter in the alphabet
# most configuration options are set here

# enable daemon mode
# config daemon

# use localtime instead of UTC (*not* recommended because of timewarps)
#config localtime

# set the hostname (currently only used for the acid db output plugin)
config hostname: snorthost

# set the interface name (currently only used for the acid db output plugin)
config interface: lo

# set the filter (currently only used for the acid db output plugin)
config filter: not port 22

# Step 1: setup the data processors

# dp_alert
# --------------------------
# The dp_alert data processor is capable of reading the alert (event) format
# generated by Snort's spo_unified plug-in.  It is used with output plug-ins
# that support the "alert" input type.  This plug-in takes no arguments.
processor dp_alert


# dp_log
# ---------------------------
# The dp_log data processor is capable of reading the log format generated
# by Snort's spo_unified plug-in.  It is used with output plug-ins
# that support the "log" input type.  This plug-in takes no arguments.
processor dp_log


#-----------------------------
# Converts data from the dp_log plugin into standard pcap format
# Argument: <filename>

#output log_pcap

# acid_db
#-------------------------------
# Available as both a log and alert output plugin.  Used to output data into
# the db schema used by ACID
# Arguments:
#      $db_flavor           - what flavor of database (ie, mysql)
#      sensor_id $sensor_id - integer sensor id to insert data as
#      database $database   - name of the database
#      server $server       - server the database is located on
#      user $user           - username to connect to the database as
#      password $password   - password for database authentication
output alert_acid_db: mysql, sensor_id 1, database snort2, server localhost, user snort, password snort
# output log_acid_db: mysql, sensor_id 1, database snort, server localhost, user root, detail full


#   dport_icode     - dest port or ICMP code (or 0)
#   dport           - dest port
#   icode           - ICMP code (if ICMP)
#   proto           - protocol number
#   protoname       - protocol name
#   flags           - flags from UnifiedAlertRecord
#   msg             - message text
#
# Examples:
#   output alert_csv: /var/log/snort/csv.out
#   output alert_csv: /var/log/snort/csv.out  timestamp,msg,srcip,sport,dstip,dport,protoname,itype,icode
#   output alert_csv: csv.out  timestamp,msg,srcip,sport,dstip,dport,protoname,itype,icode


# alert_syslog
#-----------------------------
# Converts data from the alert stream into an approximation of Snort's
# syslog alert output plugin.  Same arguments as the output plugin in snort.

#output alert_syslog

# log_pcap
#-----------------------------
# Converts data from the dp_log plugin into standard pcap format
# Argument: <filename>

#output log_pcap

# acid_db
#-------------------------------
# Available as both a log and alert output plugin.  Used to output data into
# the db schema used by ACID
# Arguments:
#      $db_flavor           - what flavor of database (ie, mysql)
#      sensor_id $sensor_id - integer sensor id to insert data as
#      database $database   - name of the database
#      server $server       - server the database is located on
#      user $user           - username to connect to the database as
#      password $password   - password for database authentication
output alert_acid_db: mysql, sensor_id 1, database snort2, server localhost, user snort, password snort
# output log_acid_db: mysql, sensor_id 1, database snort, server localhost, user root, detail full

I have added gen-msg.map to the /etc/snort directory but I dont know where to get sid-msg.map and why am I having the 
problem with  alert_acid_db??  I have been watching traffic patterns and think that my speed problem is in the DB writing. 
I think that barnyard will solve some of that. If I can get it to work.

Thanks in advance.

All the previous help has been appreciated. 


_______________________________
James Ashton
Network Admin / Chief of client monitoring

Global Internet Tech, Inc
13840 Osprey Links Dr, #219
Orlando Fl, 32837

407-859-5218  






More information about the Snort-users mailing list