[Snort-users] How to get barnyard to read both log and alert

Russell Fulton r.fulton at ...3809...
Mon Nov 22 18:38:07 EST 2004


Hi Barry,
	Thanks for your prompt response!

On Tue, 2004-11-23 at 14:28, Basselgia, Barry A Mr (NAF Atsugi) wrote:
> If I understand it correctly, you don't need to have both the log and alert
> files processed.
> 
> The log file contains all the information in the alert file plus additional
> details.  So if you have it process your log file you should have all the
> information.

I understood that there is information in the alert file that is not
included in the log file.  Maybe this was only an issue with older
versions of snort, but I remember getting very frustrated a couple of
years ago when unified output first came out and I ended up using mudpit
instead of barnyard.  Mudpit is no longer maintained so I tried barnyard
again.

I've started just using the log file and it all seems to work fine!

It is not clear from the docs that the log file also contains all the
information about the alerts too.  All the other formats have the data
in separate files.  Hmmmm... or is it all implicit in the name
(unified)?  Still it would not hurt to spell it out for idiots like me!

Who should I send a patch to with additions to the comments in the conf
file on unified output plugins?

second thought I'll post it here:

 # unified: Snort unified binary format alerting and logging
 # -------------------------------------------------------------
 # The unified output plugin provides two new formats for logging and generating
 # alerts from Snort, the "unified" format.  The unified format is a straight
 # binary format for logging data out of Snort that is designed to be fast and
!# efficient.  The alert file contains just the alert information while the log 
!# file contains this information in addition to any packet capture data associated
!# with the alert. You should choose one or the other depending on whether or not 
!# you want packet capture data in your database.
 # Used with barnyard (the new alert/log processor), most of the
 # overhead for logging and alerting to various slow storage mechanisms such as
 # databases or the network can now be avoided.
 #

-- 
Russell Fulton, Information Security Officer, The University of Auckland
New Zealand





More information about the Snort-users mailing list