[Snort-users] Issue with barnyard & unified alert log file

Marc Dreher MarcDreher at ...158...
Fri Sep 6 04:47:02 EDT 2002


forgot subject in last post ...

Hi all,

I posted this question already a couple of days ago. As I did not get an
answer either nobody knows (which I doubt) or it is a very well known
issue and I was tu stupid to find the answer in the faq or list history
(although I looked closly). The problem is the following.
When I have snort logging alerts in unified form to a file and take this
file as input for barnyard to write the output either to syslog or the
alert_fast output plugin I do not get any IP adresses or time information
for spp_portscan alerts. Output from alert_fast for example looks like this:

01/01/-30-00:00:00.000000 {IP} ->
[**] [100:2:1] spp_portscan: Portscan Status [**]
[Classification: Not Suspicious Traffic] [Priority: 0]

all other alerts are fine. When I have snort log into the plain ascii
alert file everything is ok as well.

Thanks fo any hints.

GMX - Die Kommunikationsplattform im Internet.

More information about the Snort-users mailing list