[Snort-users] Barnyard part 2

Esler, Joel - Contractor joel.esler at ...9426...
Thu Jul 29 07:14:02 EDT 2004


What command line options do you pass barnyard?  Specifically your -d
and -f options?

-----Original Message-----
From: sekure [mailto:sekure at ...11827...] 
Sent: Thursday, July 29, 2004 10:07 AM
To: Jeff Dell
Cc: Esler, Joel - Contractor; snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] Barnyard part 2


> If your rules are alerts and you are outputting to log_unified you 
> will have issues...
I don't think that's necessarily true.  According to Snort docs: "The
log file contains the detailed packet information ( a packet dump with
the associated event id )".

My sensors are configured to:
output log_unified: filename unified.log, limit 128

And barnyard is configured:
output log_acid_db: mysql, database db, server server, etc...

I found that I only need one output module for snort and one output
module for barnyard. Barnyard takes care of extracting the pertinent
information and entering it into the database, giving me the alert and
the packet payload.  If I had just output log_alert in snort.conf, or
just output alert_acid_db in barnyard the packet detail wouldn't make it
into the database.  And having two output plugins in barnyard tries to
enter the same event into it twice.

Hmmm....I think that's right....

HTH, 

----- Original Message -----
From: Jeff Dell <jdell at ...1095...>
Date: Thu, 29 Jul 2004 09:36:17 -0400
Subject: RE: [Snort-users] Barnyard part 2
To: "Esler, Joel - Contractor" <joel.esler at ...9426...>,
snort-users at lists.sourceforge.net


Make sure you are alerting to unified as well. i.e. uncomment the
following line in your snort.conf file:
 
output alert_unified: filename snort.alert, limit 128
 
If your rules are alerts and you are outputting to log_unified you will
have issues...
 
Jeff


________________________________
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of Esler,
Joel - Contractor
Sent: Thursday, July 29, 2004 8:46 AM
To: Esler, Joel - Contractor; snort-users at lists.sourceforge.net;
Maetzky, Steffen (Extern)
Subject: RE: [Snort-users] Barnyard part 2



I see that my Snort -> mysql used the "log" facility.  Is there a
similar command in barnyard, or do I have to change my rules from alert
to log?
 
J


-----Original Message-----
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of Esler,
Joel - Contractor
Sent: Thursday, July 29, 2004 8:40 AM
To: snort-users at lists.sourceforge.net; Maetzky, Steffen (Extern)
Subject: [Snort-users] Barnyard part 2


Okay, Now, previous setup was Snort logging directly to mysql.  Now it
is logging to unified, Barnyard is now processing the mysql entries,
however, it is not inputting the packet data into ACID.  Where did the
packet data go?
 
J
 
(barnyard.conf)
 
output alert_acid_db: mysql, sensor_id 7, database snort, server
127.0.0.1, user snort output log_acid_db: mysql, database snort, server
127.0.0.1, user snort, detail full
 
Do i need to comment out alert_acid_db, and make it just "log_acid_db?




More information about the Snort-users mailing list