[Snort-users] No detail or contents in acid and barnyard

Bamm Visscher bamm at ...539...
Thu Jun 5 05:20:05 EDT 2003


Unified out 'alert' data doesn't contain any packet info. You need to make sure barnyard is tracking the unified 'log' file and that the database output plugin is attached to the log facility. Barnyard CANNOT process both unified types at once:

  barnyard -c config/barnyard.alert -d LOGS/DMZ-O/barnyard/ -f snort.log
  # Disable the below line
  #output alert_acid_db: mysql, sensor_id 1, database snort, server xxxxx.auckland.ac.nz, user snort, password xxxxx
  output log_acid_db: mysql, sensor_id 1, database snort, server xxxxx.auckland.ac.nz, user snort, password xxxxx

Bammkkkk


On Thu, Jun 05, 2003 at 04:51:49PM +1200, Russell Fulton wrote:
> Greetings All,
> 	    I am running snort 2.0 with the unified output plugin (see appended
> config file) and using barnyard (see command line and conf file
> appended).  
> 
> Data is being logged to the database and displayed by acid but I get no
> details (i.e. no IP header fields except addresses nor tcp fields except
> port numbers) and no packet contents.
> 
> I have tried various strategies with running barnyard to handle both the
> alert and log file:
>       * -d log_dir -f snort.alert -f snort.log  and both outputs enabled
>         in the conf file.  This does not produce any errors.
>       * two processors one for the log and one for the alert, log
>         process always seems to exit (no errors printed).
> 
> Clearly I am missing something can someone please take the time to look
> the configs and try and spot the problem.
> 
> [ I have searched the archive and found several references to this
> problem but no real solutions when I get this fixed I'll write an answer
> for the FAQ!]
> 
> Thanks!  Russell
> 
> -- 
> Russell Fulton, Network Security Officer, The University of Auckland,
> New Zealand.
> 
> snort command line
> 
> snort -c unified.rules -D -g snort -i xl0 -l /home/snort/LOGS/DMZ-O/barnyard/ -m 2 -o -U -u snort -X 
> 
> snort.conf...
> 
> var HOME_NET [xxxxx]
> var EXTERNAL_NET any
> var DNS_SERVERS $HOME_NET
> var SMTP_SERVERS $HOME_NET
> var HTTP_SERVERS $HOME_NET
> var SQL_SERVERS $HOME_NET
> var TELNET_SERVERS $HOME_NET
> var HTTP_PORTS 80
> var SHELLCODE_PORTS !80
> var ORACLE_PORTS 1521
> var AIM_SERVERS [64.12.24.0/24,64.12.25.0/24,64.12.26.14/24,64.12.28.0/24,64.12\.29.0/24,64.12.161.0/24,64.12.163.0/24,205.188.5.0/24,205.188.9.0/24]
> var RULE_PATH /home/snort/Rules/current
> preprocessor frag2
> preprocessor stream4 : disable_evasion_alerts, ttl_limit 5
> preprocessor stream4_reassemble
> preprocessor http_decode: 80 unicode iis_alt_unicode double_encode iis_flip_sla\sh full_whitespace
> preprocessor rpc_decode: 111 32771
> preprocessor bo
> preprocessor telnet_decode
>                                                                                 
> output alert_unified: filename snort.alert, limit 50
> output log_unified: filename snort.log, limit 50
>                                                                                 
> include  $RULE_PATH/classification.config
> include  $RULE_PATH/reference.config
>                                                                                 
> include $RULE_PATH/bad-traffic.rules
> include $RULE_PATH/exploit.rules
> include $RULE_PATH/scan.rules
> .......
> ----------------------------------------------------------------------
> Barnyard command line:
> 
> barnyard -c config/barnyard.alert -d LOGS/DMZ-O/barnyard/ -f snort.alert -f snort.log
>                                                                                
> Barnyard.conf
> 
> config hostname:xxxx
>  
> config interface: xl0
>  
> config filter: not port 22
>   
> processor dp_alert
>  
> processor dp_log
>  
> processor dp_stream_stat
>  
> output alert_acid_db: mysql, sensor_id 1, database snort, server xxxxx.auckland.ac.nz, user snort, password xxxxx
>  
> output log_acid_db: mysql, sensor_id 1, database snort, server xxxxx.auckland.ac.nz, user snort, password xxxxx




More information about the Snort-users mailing list