[Snort-users] RE: Network Behaviour Anomoly Detection

Lawrence Reed Lawrence.Reed at ...1444...
Wed Oct 13 05:06:08 EDT 2004


Larry Reed wrote:
> I have a chunk of code to do just that.  It was written some time ago 
> for BY 0.1.0.  Spits out the stream stats in a csv format, similar to 
> alert_csv output.
> b
> If anyone is interested I'll clean it up for BY 0.2.0 and post it.

Someone expressed interest so here it is:

This patch will allow BY 0.2.0 to read snort stream stat unified files. 
  The output is written to a csv file as define in barynard.conf.  The 
default filename is stats-csv.out and the default format is:

starttime, endtime, client-ip, client-port, server-ip, server-port, 
server-bytes, server-packets, client-bytes,client-packets


My barnyard.conf contains only two lines:

    processor dp_stream_stat
    output stream_stat_csv


The files are created with the following snort.conf entry:

    preprocessor stream4: disable_evasion_alerts, keepstats binary

I patched a few files and created two new files:

Patched:
/barnyard-0.2.0/src/input-plugins/dp_stream_stat.h
/barnyard-0.2.0/src/output-plugins/op_plugbase.c
/barnyard-0.2.0/src/output-plugins/Makefile.in

New:
/barnyard-0.2.0/src/output-plugins/op_stream_stat_csv.c
/barnyard-0.2.0/src/output-plugins/op_stream_stat_csv.h


I have been using this code for several weeks.  It works with my 
configuration. I have not tested everything and consider this beta code.

The patches were created from BY 0.2.0 build 32.

Use at your own risk.


Larry


-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: op_stream_stat_csv.h.patch
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20041013/47ff4a9f/attachment.ksh>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: dp_stream_stat.h.patch
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20041013/47ff4a9f/attachment-0001.ksh>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: Makefile.in.patch
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20041013/47ff4a9f/attachment-0002.ksh>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: op_plugbase.c.patch
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20041013/47ff4a9f/attachment-0003.ksh>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: op_stream_stat_csv.c.patch
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20041013/47ff4a9f/attachment-0004.ksh>


More information about the Snort-users mailing list