[Snort-users] Re: [Barnyard-users] Barnyard alert_fast and log_dump question ...
sekure at ...11827...
Tue Oct 5 06:45:20 EDT 2004
I may be a little dense, but what is the reason that barnyard can't
recreate snort's alert_fast type log just based on the unified log
file? It has the source/destination/timestamp, and if I tell it where
the sid-msg.map is, it has the alert name/msg. At this point all I
want it to do is write this to a file.
I had a similar issue where snort was writing a unified log file and I
wanted barnyard to do 3 things with it: Write to a remote database,
write locally in tcpdump format, and write locally in alert fast
format. I could get the first two working, but for the life of me
couldn't get "output alert_fast" to work in barnyard. Until I read
the comment directly above and saw that it converts data from the
dp_alert plugin, not the dp_log.
I guess my point is, doesn't the log facility write out all the
information of alert facility PLUS some?
On Tue, 5 Oct 2004 08:06:49 -0500, Bamm Visscher <bamm at ...539...> wrote:
> I've heard rumors that the unified output format and/or barnyard will be revamped some. Is there some reason you can't just run two instances of barnyard (one to watch unified alert and output to alert_fast. And another to watch unified log and ouput to DB)?
More information about the Snort-users