[Snort-users] Problem with barnyard 0.2.0 and snort 2.4.0

Paul Schmehl pauls at ...6838...
Sat Aug 20 09:57:05 EDT 2005


--On August 20, 2005 12:44:35 AM -0500 
eric-list-snort-users at ...11523... wrote:
>
> My barnyard.conf is as follows...
>
>  config localtime
>  config hostname: gw1
>  config interface: bridge0
>  config filter: not port 22
>  output log_acid_db: mysql, database snort, server 10.19.81.137,
>   user foo, password bar, detail full    [wrapped for clarity]
>
> Next I start barnyard in the following manner...
>
>  # /var/snort/bin/barnyard -c /var/snort/etc/barnyard.conf \
>     -s /var/snort/etc/sid-msg.map -g /var/snort/etc/gen-msg.map \
>     -p /var/snort/etc/classification.config -d /var/snort/log \
>     -f snort.log -w /var/snort/log/snort_ids.log
>
You can add the following to the config section of your barnyard conf file:
config sid-msg-map: /usr/local/share/snort/sid-msg.map
config gen-msg-map: /usr/local/share/snort/gen-msg.map
config class-file: /usr/local/share/snort/classification.config

(adjust the paths to the files to match your locations)

which will allow you to reduce your barnyard startup to the following:

>  # /var/snort/bin/barnyard -c /var/snort/etc/barnyard.conf \
>    -d /var/snort/log -f snort.log -w /var/snort/log/snort_ids.log


> WARNING: Bookmark file is corrupt, only processing new events

Delete your waldo file (/var/log/snort/log/snort_ids.log) and allow 
barnyard to recreate it.  It's apparently corrupted.

I also strongly recommend that you do not use localtime with barnyard.  It 
causes problems during the change from daylight savings to "normal" time.

Paul Schmehl (pauls at ...6838...)
Adjunct Information Security Officer
University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu/




More information about the Snort-users mailing list