Fwd: Re[4]: [Snort-users] unified format

Bamm Visscher bamm.visscher at ...11827...
Fri Aug 19 07:59:08 EDT 2005

Durn it, used the wrong snort-users addr the first time.

---------- Forwarded message ----------
From: Bamm Visscher <bamm.visscher at ...11827...>
Date: Aug 19, 2005 8:53 AM
Subject: Re: Re[4]: [Snort-users] unified format
To: snort-users-request at lists.sourceforge.net,
"barnyard-users at lists.sourceforge.net"
<barnyard-users at lists.sourceforge.net>

Actually, that's not true.  Snort will call the log func from inside
the alert func for any alert that has a packet. So, if the alerts you
are seeing  in the alert DB are from a plugin that doesn't pass a
pointer to the packet (like the old portscan preproc) then you won't
get the corresponding alert/packet info in your unified log.  There
are very few instances where this will happen, and any alert that is
triggered from a signature, will have a packet and thus the log func
will be called.

I wonder if this is a waldo file issue. If you originally ran barnyard
watching the unified alert file, then switched it to watching the
unifed log file that may have caused problems with barnyard.  Try
removing $SNORT_LOG/barnyard.waldo and then start barnyard with the
"-f snort.log". When you do this, run barnyard in the foreground send
a copy of the std out back here.


On 8/19/05, Roland Turner (SourceForge) <raz.fs.arg at ...9950...> wrote:

> > When I use "-f snort.alert" - I get alert events in DB, but don't get
> > payload. When I use "-f snort.log" - I don't get alert events in DB.
> Ah, this may be the problem. If the rule action is "alert" then the data
> presented to the output plugins does not include the payload. There is no
> configuration of anything that can get around this, IIRC. You need to be
> setting the actions to "log" if you want the payload.
> - Raz

sguil - The Analyst Console for NSM

sguil - The Analyst Console for NSM

More information about the Snort-users mailing list