[Snort-users] unified format

Igor Belikov ivb at ...13431...
Thu Aug 18 23:52:16 EDT 2005


Hello snort-users,

  I have several questions regarding unified log format.

  1. In archive of this mailing list I read that unified alert file
  contains only alerts information, and unified log file contains both
  alerts and corresponding payloads. But documentation says different:
  unified log contains only payload, and I confirmed this by some
  tests.

  2. I need log to DB detailed info about alerts. I setup snort to
  write unified alert and log files, and need some mechanism to store
  this info in DB.

  3. Writing to DB by snort is not a good solution, so I want to use
  barnyard. But I can't take _all_ information from unified logs! I
  can't setup barnyard to process both alert and log files, and I
  can't run two copies of barnyard to process two files (alert and
  log). When I run only one copy of barnyard to process log - I don't
  receive events in DB at all! When I run barbyard to process alert -
  I receive alert events in BD, but I don't receive payload of this
  alerts.

  So, I need some help to setup snort+barnyard to put detailed info
  about alerts in DB.

-- 
Best regards,
 Igor                          mailto:ivb at ...13431...


P.S. Exuse me my poor english, please...





More information about the Snort-users mailing list