[Snort-users] Barnyard, Mudpit, and the Unified Output Format

Andreas Östling andreaso at ...236...
Wed Aug 25 11:00:02 EDT 2004


Maybe it's getting a bit off-topic, but I thought I'd mention that 
I think having tagged packets in the db can be useful even if each one 
creates a new event, although it would would be nicer if it was done in a 
better way. I doubt it would ever be useful in ACID, but I created a 
simple patch for Sguil so you can query an alert for related tagged 
packets (qualified guess), or packets belonging to the same session as 
the alert, and then create some output from it. Sample screenshot is at 
http://people.su.se/~andreaso/sguiltmp/

/Andreas


On Tuesday 24 August 2004 15:27, Alex Butcher, ISC/ISYS wrote:
> I emailed the list a while back about how tagging works in conjunction with
> unified logging and spool processors. Andrew Baker (barnyard author) wrote:
>
> The unified output plugins definitely support the tag option.  When tagging
> is enabled, all of the tagged packets will be written to the unified log
> file.  Additionally, with recent versions of Snort, if an alert is
> triggered on a reassembled stream, then all of the packets for the stream
> will also be written to the unified log file.  While I cannot speak for
> mudpit, Barnyard will process the tagged packets.  However, how the are
> processed is up to the discretion of each output plug-in.  I do know that
> the ACID database output plugin in Barnyard does not treat tagged packets
> properly.  IIRC, each tagged packet will become a new event entry in the
> database instead of having all the packets associated with a single event.
> This is a limitation of the database design since it significantly predates
> tagged packet support.
>
> -A




More information about the Snort-users mailing list