[Snort-users] barnyard processing of unified snort files

Scott Renna srenna at ...9588...
Thu Jul 3 08:23:35 EDT 2003


Hello all,

I have gotten everything running nice and smoothly with Snort and
Barnyard now, but I was wondering about Snort Unified Alert file names.
The files that I have are snort.alert.######
and snort.log.########.  According to Barnyard docs, these #s represent
the time in seconds since epoch.  Is there any way to actually set these
so that they output in date and time format that is a little more
humanly comprehensible?  The problem I'm running into when using
Barnyard with these files is that the output logs that barnyard spits
out, don't show the proper time, it's off by about 4 hours.  I have
checked my machine and its time is set properly.

Has anyone else seen something like this in alert_fast.log?:

My local time at this time was about 10:27am

07/03/03-14:27:29.216803 {TCP} 192.168.2.4:44890 -> 192.168.2.238:675
[**] [117:1:1] spp_portscan2: Portscan detected! [**]
[Classification: Unknown] [Priority: 0]

Also, while I'm emailing this off, I had a question in regards to
utilizing the -f switch for continuous processing.  The docs for
barnyard say to specify the spool so i'm running two barnyard processes
one with -f /var/log/snort/snort.alert and one with -f
/var/log/snort/snort.log in order to have it review both types of files.
Is this proper syntax or is there a better way?

Many thanks

Scott Renna

***************************
Scott Renna
Head Systems Administrator
Dynamic Animation Systems
703-503-0500

*************************** 





More information about the Snort-users mailing list