[Snort-users] barnyard (Payload)

Martin Roesch roesch at ...1935...
Tue Oct 15 15:29:05 EDT 2002


You need to setup log_unified in your snort.conf, alert_unified only 
reports the event data, not the packet logs.

      -Marty

On Tuesday, October 15, 2002, at 08:37 AM, Alwin Raymundo wrote:

> Hi Marty,
>
> Sorry I'm busy this week and I just open my email.
>
> in my snort.conf
> output aler_unified: filename snort.alert, limit 128
>
> in barnyard.conf
> config hostname: snorthost
> config interface: fxp0
> config filter: not port 22
> processor dp_alert
> processor dp_log
> processor dp_stream_stat
> output alert_fast
> output log_dump
> output alert_acid_db: mysql, sensor_id 1, database
> snort, server localhost, user usnort, password loghog
>
> I'm new with barnyard. Thanks in Advance for your
> help.
>
> Your brother in snort
>
> Alwin
> --- Martin Roesch <roesch at ...1935...> wrote:
>> Which unified output option are you guys using?
>>
>>       -Marty
>>
>>
>> On 10/1/02 8:57 AM, "Alwin Raymundo"
>> <alrayworld at ...131...> wrote:
>>
>>> Hi Ron,
>>>
>>> Yap to me the payload is very important.  for my
>> own
>>> opinion.  we know that somebody trying to do some
>>> nasty thing to our server but how?
>>>
>>> without the payload its look like I shooting in
>> the
>>> dark.
>>>
>>> Thanks
>>>
>>>
>>> --- Ron Shuck <rshuck at ...6736...> wrote:
>>>> Hey Alwin,
>>>>
>>>> I found the same results. I haven't heard if
>> there
>>>> are plans to include
>>>> this, or if it should work and we just missed
>>>> something.
>>>>
>>>>
>>>> Ron Shuck, CISSP - Managing Consultant
>>>> Buchanan Associates - A Technology Company in the
>>>> People Business
>>>> http://www.buchanan.com
>>>> http://www.isc2.org
>>>>
>>>>
>>>> ---original message---
>>>> Date: Mon, 30 Sep 2002 11:36:39 -0700 (PDT)
>>>> From: Alwin Raymundo <alrayworld at ...131...>
>>>> To: user snort
>> <snort-users at lists.sourceforge.net>
>>>> Subject: [Snort-users] barnyard (Payload)
>>>>
>>>> Hi Everybody,
>>>>
>>>> I don't know if this is already posted in
>> previous
>>>> discussion and this morning I just setup the
>>>> barnyard.
>>>>  I like it because it fast to log all packets in
>> my
>>>> mysql and acid but I notice there is no payload.
>>>>
>>>> Is this normal? is there in another way to get
>> the
>>>> payload?.
>>>>
>>>> Any help would be appreciated.
>>>>
>>>> Thanks in advance.
>>>>
>>>>
>>>>
>>>>
>>>
>>>> ATTACHMENT part 2 application/x-pkcs7-signature
>>> name=smime.p7s
>>>
>>>
>>>
>>> =====
>>> Alwin Raymundo
>>>
>>> __________________________________________________
>>> Do you Yahoo!?
>>> New DSL Internet Access from SBC & Yahoo!
>>> http://sbc.yahoo.com
>>>
>>>
>>>
>>
> -------------------------------------------------------
>>> This sf.net email is sponsored by: DEDICATED
>> SERVERS only $89!
>>> Linux or FreeBSD, FREE setup, FAST network. Get
>> your own server
>>> today at http://www.ServePath.com/indexfm.htm
>>> _______________________________________________
>>> Snort-users mailing list
>>> Snort-users at lists.sourceforge.net
>>> Go to this URL to change user options or
>> unsubscribe:
>>>
>>
> https://lists.sourceforge.net/lists/listinfo/snort-users
>>> Snort-users list archive:
>>>
>>
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>>
>>>
>>
>> -- 
>> Martin Roesch - Founder/CTO Sourcefire Inc. - (410)
>> 290-1616
>> Sourcefire: Professional Snort Sensor and Management
>> Console appliances
>> roesch at ...1935... - http://www.sourcefire.com
>> Snort: Open Source Network IDS -
>> http://www.snort.org
>>
>>
>>
>>
> -------------------------------------------------------
>> This sf.net email is sponsored by: DEDICATED SERVERS
>> only $89!
>> Linux or FreeBSD, FREE setup, FAST network. Get your
>> own server
>> today at http://www.ServePath.com/indexfm.htm
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or
>> unsubscribe:
>>
> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>>
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>
> =====
> Alwin Raymundo
>
> __________________________________________________
> Do you Yahoo!?
> New DSL Internet Access from SBC & Yahoo!
> http://sbc.yahoo.com
>
>
-- 
Martin Roesch - Founder/CTO, Sourcefire Inc. - (410)290-1616
Sourcefire: Snort-based Enterprise Intrusion Detection Infrastructure
roesch at ...1935... - http://www.sourcefire.com
Snort: Open Source Network IDS - http://www.snort.org





More information about the Snort-users mailing list