[Snort-users] barnyard (Payload)

Martin Roesch roesch at ...1935...
Wed Oct 16 08:24:04 EDT 2002


Your barnyard command line is wrong, the -f switch should take the 
argument "snort.log", not "scan.log".

      -Marty

On Wednesday, October 16, 2002, at 08:46 AM, Alwin Raymundo wrote:

> Hi Martin,
>
> Thank for the info.
>
> I already adjustment my configuration on both snort
> and barnyard but showing me an error.
> -*> Barnyard! <*-
> Version 0.1.0-rc3 (Build 11)
> By Andrew R. Baker (andrewb at ...950...)
> and Martin Roesch (roesch at ...1935...,
> www.snort.org)
>
> Loading Data Processors...
> dp_alert loaded
> dp_log loaded
> dp_stream_stat loaded
> Loading Built-in Output Plugins...
> Fast Alert plugin initialized
> AlertSyslog initialized
> Log Dump plugin initialized
> LogPcap initialized
> AcidDb output plugin initialized
> AlertCSV initialized
> Parsing Config file: /etc/snort/barnyard.conf
> Args: mysql, sensor_id 1, database snort, server
> localhost, user usnort, password loghog, detail full
> Barnyard Version 0.1.0-rc3 (Build 11) started
> No Files found to read.  Exiting
> Fatal Error, Quitting..
> Exiting
>
> barnyard.conf
> output log_acid_db: mysql, sensor_id 1, database
> snort, server localhost, user thalium, password
> 4e770!, detail full
>
> in my snort.conf
> output log_unified: filename snort.log, limit 128
>
>
> and I started by barnyard with
> barnyard  -c /etc/snort/barnyard.conf \
>     -d /var/log/snort -g /etc/snort/gen-msg.map \
>     -s /etc/snort/sid-msg.map -f scan.log
>
> Is there any misconfiguration that I did.  Because
> barnyard complaining about "no files found to read".
> When I look at my /var/log/snort the file snort.log is
> there and existing. Please correct me if I did
> misconfiguration.  I appreciate it.
>
> Thanks
>
> Your brother in snort
>
>
> --- Martin Roesch <roesch at ...1935...> wrote:
>> You need to setup log_unified in your snort.conf,
>> alert_unified only
>> reports the event data, not the packet logs.
>>
>>       -Marty
>>
>> On Tuesday, October 15, 2002, at 08:37 AM, Alwin
>> Raymundo wrote:
>>
>>> Hi Marty,
>>>
>>> Sorry I'm busy this week and I just open my email.
>>>
>>> in my snort.conf
>>> output aler_unified: filename snort.alert, limit
>> 128
>>>
>>> in barnyard.conf
>>> config hostname: snorthost
>>> config interface: fxp0
>>> config filter: not port 22
>>> processor dp_alert
>>> processor dp_log
>>> processor dp_stream_stat
>>> output alert_fast
>>> output log_dump
>>> output alert_acid_db: mysql, sensor_id 1, database
>>> snort, server localhost, user usnort, password
>> loghog
>>>
>>> I'm new with barnyard. Thanks in Advance for your
>>> help.
>>>
>>> Your brother in snort
>>>
>>> Alwin
>>> --- Martin Roesch <roesch at ...1935...> wrote:
>>>> Which unified output option are you guys using?
>>>>
>>>>       -Marty
>>>>
>>>>
>>>> On 10/1/02 8:57 AM, "Alwin Raymundo"
>>>> <alrayworld at ...131...> wrote:
>>>>
>>>>> Hi Ron,
>>>>>
>>>>> Yap to me the payload is very important.  for my
>>>> own
>>>>> opinion.  we know that somebody trying to do
>> some
>>>>> nasty thing to our server but how?
>>>>>
>>>>> without the payload its look like I shooting in
>>>> the
>>>>> dark.
>>>>>
>>>>> Thanks
>>>>>
>>>>>
>>>>> --- Ron Shuck <rshuck at ...6736...> wrote:
>>>>>> Hey Alwin,
>>>>>>
>>>>>> I found the same results. I haven't heard if
>>>> there
>>>>>> are plans to include
>>>>>> this, or if it should work and we just missed
>>>>>> something.
>>>>>>
>>>>>>
>>>>>> Ron Shuck, CISSP - Managing Consultant
>>>>>> Buchanan Associates - A Technology Company in
>> the
>>>>>> People Business
>>>>>> http://www.buchanan.com
>>>>>> http://www.isc2.org
>>>>>>
>>>>>>
>>>>>> ---original message---
>>>>>> Date: Mon, 30 Sep 2002 11:36:39 -0700 (PDT)
>>>>>> From: Alwin Raymundo <alrayworld at ...131...>
>>>>>> To: user snort
>>>> <snort-users at lists.sourceforge.net>
>>>>>> Subject: [Snort-users] barnyard (Payload)
>>>>>>
>>>>>> Hi Everybody,
>>>>>>
>>>>>> I don't know if this is already posted in
>>>> previous
>>>>>> discussion and this morning I just setup the
>>>>>> barnyard.
>>>>>>  I like it because it fast to log all packets
>> in
>>>> my
>>>>>> mysql and acid but I notice there is no
>> payload.
>>>>>>
>>>>>> Is this normal? is there in another way to get
>>>> the
>>>>>> payload?.
>>>>>>
>>>>>> Any help would be appreciated.
>>>>>>
>>>>>> Thanks in advance.
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>>> ATTACHMENT part 2 application/x-pkcs7-signature
>>>>> name=smime.p7s
>>>>>
>>>>>
>>>>>
>>>>> =====
>>>>> Alwin Raymundo
>>>>>
>>>>>
>> __________________________________________________
>>>>> Do you Yahoo!?
>>>>> New DSL Internet Access from SBC & Yahoo!
>>>>> http://sbc.yahoo.com
>>>>>
>>>>>
>>>>>
>>>>
>>>
>>
> -------------------------------------------------------
>>>>> This sf.net email is sponsored by: DEDICATED
>>>> SERVERS only $89!
>>>>> Linux or FreeBSD, FREE setup, FAST network. Get
>>>> your own server
>>>>> today at http://www.ServePath.com/indexfm.htm
>>>>> _______________________________________________
>>>>> Snort-users mailing list
>>>>> Snort-users at lists.sourceforge.net
>>>>> Go to this URL to change user options or
>>>> unsubscribe:
>>>>>
>>>>
>>>
>>
> https://lists.sourceforge.net/lists/listinfo/snort-users
>>>>> Snort-users list archive:
>>>>>
>>>>
>>>
>>
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>>>>
>>>>>
>>>>
>>>> -- 
>>>> Martin Roesch - Founder/CTO Sourcefire Inc. -
>> (410)
>>>> 290-1616
>>>> Sourcefire: Professional Snort Sensor and
>> Management
>>>> Console appliances
>>>> roesch at ...1935... - http://www.sourcefire.com
>>>> Snort: Open Source Network IDS -
>>>> http://www.snort.org
>>>>
>>>>
>>>>
>>>>
>>>
>>
> -------------------------------------------------------
>>>> This sf.net email is sponsored by: DEDICATED
>> SERVERS
>>>> only $89!
>>>> Linux or FreeBSD, FREE setup, FAST network. Get
>> your
>>>> own server
>>>> today at http://www.ServePath.com/indexfm.htm
>>>> _______________________________________________
>>>> Snort-users mailing list
>>>> Snort-users at lists.sourceforge.net
>>>> Go to this URL to change user options or
>>>> unsubscribe:
>>>>
>>>
>>
> https://lists.sourceforge.net/lists/listinfo/snort-users
>>>> Snort-users list archive:
>>>>
>>>
>>
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>>
>>>
>>> =====
>>> Alwin Raymundo
>>>
>>> __________________________________________________
>>> Do you Yahoo!?
>>> New DSL Internet Access from SBC & Yahoo!
>>> http://sbc.yahoo.com
>>>
>>>
>> -- 
>> Martin Roesch - Founder/CTO, Sourcefire Inc. -
>> (410)290-1616
>> Sourcefire: Snort-based Enterprise Intrusion
>> Detection Infrastructure
>>
> === message truncated ===
>
>
> =====
> Alwin Raymundo
>
> __________________________________________________
> Do you Yahoo!?
> New DSL Internet Access from SBC & Yahoo!
> http://sbc.yahoo.com
>
>
-- 
Martin Roesch - Founder/CTO, Sourcefire Inc. - (410)290-1616
Sourcefire: Snort-based Enterprise Intrusion Detection Infrastructure
roesch at ...1935... - http://www.sourcefire.com
Snort: Open Source Network IDS - http://www.snort.org





More information about the Snort-users mailing list