[Snort-users] Barnyard part 2

Esler, Joel - Contractor joel.esler at ...9426...
Thu Jul 29 11:52:28 EDT 2004


Sekure, 

Ur right.  Now if only barnyard would have an output module to Oracle.

J

-----Original Message-----
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of sekure
Sent: Thursday, July 29, 2004 10:28 AM
To: Esler, Joel - Contractor
Cc: Jeff Dell; snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] Barnyard part 2


-d {Snort_log_directory} -f unified.log 
(since snort is configured to output log_unified: filename unified.log,
limit 128)


On Thu, 29 Jul 2004 10:13:02 -0400, Esler, Joel - Contractor
<joel.esler at ...9426...> wrote:
> What command line options do you pass barnyard?  Specifically your -d 
> and -f options?
> 
> 
> 
> -----Original Message-----
> From: sekure [mailto:sekure at ...11827...]
> Sent: Thursday, July 29, 2004 10:07 AM
> To: Jeff Dell
> Cc: Esler, Joel - Contractor; snort-users at lists.sourceforge.net
> Subject: Re: [Snort-users] Barnyard part 2
> 
> > If your rules are alerts and you are outputting to log_unified you 
> > will have issues...
> I don't think that's necessarily true.  According to Snort docs: "The 
> log file contains the detailed packet information ( a packet dump with

> the associated event id )".
> 
> My sensors are configured to:
> output log_unified: filename unified.log, limit 128
> 
> And barnyard is configured:
> output log_acid_db: mysql, database db, server server, etc...
> 
> I found that I only need one output module for snort and one output 
> module for barnyard. Barnyard takes care of extracting the pertinent 
> information and entering it into the database, giving me the alert and

> the packet payload.  If I had just output log_alert in snort.conf, or 
> just output alert_acid_db in barnyard the packet detail wouldn't make 
> it into the database.  And having two output plugins in barnyard tries

> to enter the same event into it twice.
> 
> Hmmm....I think that's right....
> 
> HTH,
> 
> ----- Original Message -----
> From: Jeff Dell <jdell at ...1095...>
> Date: Thu, 29 Jul 2004 09:36:17 -0400
> Subject: RE: [Snort-users] Barnyard part 2
> To: "Esler, Joel - Contractor" <joel.esler at ...9426...>, 
> snort-users at lists.sourceforge.net
> 
> Make sure you are alerting to unified as well. i.e. uncomment the 
> following line in your snort.conf file:
> 
> output alert_unified: filename snort.alert, limit 128
> 
> If your rules are alerts and you are outputting to log_unified you 
> will have issues...
> 
> Jeff
> 
> ________________________________
> From: snort-users-admin at lists.sourceforge.net
> [mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of Esler, 
> Joel - Contractor
> Sent: Thursday, July 29, 2004 8:46 AM
> To: Esler, Joel - Contractor; snort-users at lists.sourceforge.net;
> Maetzky, Steffen (Extern)
> Subject: RE: [Snort-users] Barnyard part 2
> 
> I see that my Snort -> mysql used the "log" facility.  Is there a 
> similar command in barnyard, or do I have to change my rules from 
> alert to log?
> 
> J
> 
> -----Original Message-----
> From: snort-users-admin at lists.sourceforge.net
> [mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of Esler, 
> Joel - Contractor
> Sent: Thursday, July 29, 2004 8:40 AM
> To: snort-users at lists.sourceforge.net; Maetzky, Steffen (Extern)
> Subject: [Snort-users] Barnyard part 2
> 
> Okay, Now, previous setup was Snort logging directly to mysql.  Now it

> is logging to unified, Barnyard is now processing the mysql entries, 
> however, it is not inputting the packet data into ACID.  Where did the

> packet data go?
> 
> J
> 
> (barnyard.conf)
> 
> output alert_acid_db: mysql, sensor_id 7, database snort, server 
> 127.0.0.1, user snort output log_acid_db: mysql, database snort, 
> server 127.0.0.1, user snort, detail full
> 
> Do i need to comment out alert_acid_db, and make it just "log_acid_db?
>


-------------------------------------------------------
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_id=4721&alloc_id=10040&op=click
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users




More information about the Snort-users mailing list