[Snort-users] barnyard (Payload)

Bamm Visscher bamm at ...539...
Tue Oct 15 06:58:53 EDT 2002


Alwin,

In order to get payload data into you acid/mysql db you need to change
this line:

output alert_acid_db: mysql, sensor_id 1, database
snort, server localhost, user usnort, passsword loghog

to

output log_acid_db: mysql, sensor_id 1, database
snort, server localhost, user usnort, password loghog

The explanation: The acid_db plugin can either be used to insert either
type of unified data (log or alert) into the DB. Alert_unified contains
only pertinent alert info (srcip, dstip, srcport, dstport, timestamp,
proto, alert msg, etc) and NO packet data. Log_unified contains the
alert info plus the actual packet in unified format. By choosing
alert_acid_db you are choosing only to insert the alert info, no matter
which type of unified file you are reading. The downside of using
log_acid_db is that alerts that don't have an associated packet (like
PORTSCAN alerts) will no longer be loaded into the DB.

I am not sure what the error you are getting means. Possibly a corrupted
spool file? Can you post the args you are using to start BY?

Bammkkkkk


On Tue, 2002-10-15 at 08:05, Alwin Raymundo wrote:
> Hi Bamm,
> 
> Thanks for your help.  I have a few question for you
> if you dont mind.
> 
> 1. where I can find this op_acid_db?
> 
> I follow what you have stated below
> in snort.conf
> output log_unified: filename snort.log, limit 128
> 
> in my barnyard.conf
> config hostname: snorthost
> config interface: fxp0
> config filter: not port 22
> processor dp_alert
> processor dp_log
> processor dp_stream_stat
> output alert_fast
> output log_dump
> output alert_acid_db: mysql, sensor_id 1, database
> snort, server localhost, user usnort, password loghog
> 
> When I ran BY I got this error messages
> 
> -*> Barnyard! <*-
> Version 0.1.0-rc3 (Build 11)
> By Andrew R. Baker (andrewb at ...950...)
> and Martin Roesch (roesch at ...1935...,
> www.snort.org)
> 
> Loading Data Processors...
> dp_alert loaded
> dp_log loaded
> dp_stream_stat loaded
> Loading Built-in Output Plugins...
> Fast Alert plugin initialized
> AlertSyslog initialized
> Log Dump plugin initialized
> LogPcap initialized
> AcidDb output plugin initialized
> AlertCSV initialized
> Parsing Config file: /etc/snort/barnyard.conf
> Args: mysql, sensor_id 1, database snort, server
> localhost, user usnort, password loghog
> WARNING: absolute path in -f <filename> is overriding
> -d <spool_dir> setting.
> WARNING: spool_dir set to "/var/log/snort"
> Barnyard Version 0.1.0-rc3 (Build 11) started
> ERROR => No input plugin found for magic: a1b2c3d4
> 
> what does it mean "no input plugin found for magic:
> a1b2c3d4"
> 
> I search for this in the previous usenet but the
> advice was to upgrade the barnyard and the rules but I
> think I have the new one.
> 
> I'm new with barnyard. Thanks in Advance for your
> help
> --- Bamm Visscher <bamm at ...539...> wrote:
> > I use a modified (different DB schema) op_acid_db
> > and it inserts
> > "payload" data. op_acid_db should also. Check to
> > make sure you are using
> > the log_unifed output plugin (alert_unified doesn't
> > log packet data).
> > When you run BY, make sure it is reading the
> > log_unified output (i.e. -f
> > snort.log). IIRC, BY cannot read log_unified and
> > alert_unified at the
> > same time. Finally, in your barnyard.conf, make sure
> > you use 'output
> > log_acid_db' (vice 'output alert_acid_db'.
> > 
> > Bammkkkk
> > 
> > On Tue, 2002-10-01 at 07:31, Ron Shuck wrote:
> > > Hey Alwin,
> > > 
> > > I found the same results. I haven't heard if there
> > are plans to include
> > > this, or if it should work and we just missed
> > something.
> > > 
> > > 
> > > Ron Shuck, CISSP - Managing Consultant
> > > Buchanan Associates - A Technology Company in the
> > People Business
> > > http://www.buchanan.com
> > > http://www.isc2.org
> > > 
> > > 
> > > ---original message---
> > > Date: Mon, 30 Sep 2002 11:36:39 -0700 (PDT)
> > > From: Alwin Raymundo <alrayworld at ...131...>
> > > To: user snort <snort-users at lists.sourceforge.net>
> > > Subject: [Snort-users] barnyard (Payload)
> > > 
> > > Hi Everybody,
> > > 
> > > I don't know if this is already posted in previous
> > > discussion and this morning I just setup the
> > barnyard.
> > >  I like it because it fast to log all packets in
> > my
> > > mysql and acid but I notice there is no payload.
> > > 
> > > Is this normal? is there in another way to get the
> > > payload?.
> > > 
> > > Any help would be appreciated.
> > > 
> > > Thanks in advance.
> > > 
> > > 
> > > 
> > 
> > 
> > 
> > 
> >
> -------------------------------------------------------
> > This sf.net email is sponsored by: DEDICATED SERVERS
> > only $89!
> > Linux or FreeBSD, FREE setup, FAST network. Get your
> > own server 
> > today at http://www.ServePath.com/indexfm.htm
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or
> > unsubscribe:
> >
> https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> >
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 
> 
> =====
> Alwin Raymundo
> 
> __________________________________________________
> Do you Yahoo!?
> New DSL Internet Access from SBC & Yahoo!
> http://sbc.yahoo.com
> 
> 
> -------------------------------------------------------
> This sf.net email is sponsored by:ThinkGeek
> Welcome to geek heaven.
> http://thinkgeek.com/sf
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 






More information about the Snort-users mailing list