Fwd: Re[4]: [Snort-users] unified format

Igor Belikov ivb at ...13431...
Mon Aug 22 07:51:03 EDT 2005


Hello Bamm,

Friday, August 19, 2005, 5:55:01 PM, you wrote:

BV> I wonder if this is a waldo file issue. If you originally ran barnyard
BV> watching the unified alert file, then switched it to watching the
BV> unifed log file that may have caused problems with barnyard.

I'm sure that it's not a waldo file, because I'm removing old logs (and
old waldo file) before every run snort+barnyard.

BV> Try removing $SNORT_LOG/barnyard.waldo and then start barnyard
BV> with the "-f snort.log". When you do this, run barnyard in the
BV> foreground send a copy of the std out back here.

OK. I'm running barnyard with "-R" and without "-R":

without "-R"

 - >8 - - >8 - - >8 - - >8 -

No bookmark file found, processing all events
Opened spool file '/var/log/snort/snort.log.1124719207'
OpAcidDB configured
  Database Flavour: mysql
  Detail Level: Full
  Database Server: 192.168.x.x
  Database User: xxxxx
SensorID: 1
Next CID: 19058
Waiting for new data
Exiting
Barnyard Version 0.2.0 (Build 32)
Command line arguments:
  Config file:           /usr/local/barnyard/etc/barnyard.conf
  Spool dir:             /var/log/snort
  Gen-msg file:          Not specified
  Sid-msg file:          Not specified
  Class file:            Not specified
  Log dir:               Not specified
  Archive dir:           Not specified
  File base:             snort.log
  Waldo file:            /var/log/snort/barnyard.waldo
  Pid file:              Not specified
  Verbosity level:       6
  Dry run flag:          Not Set
  Batch mode flag:       Not Set
  Daemon flag:           Not Set
  New records only flag: Not Set
  Usage flag:            Not Set
  Version flag:          Not Set
Config file variables:
  Hostname:        xxxxx
  Interface:       any
  BPF Filter:      Not specified
  Class file:      /usr/local/snort/etc/classification.config
  Sid-msg file:    /usr/local/snort/etc/sid-msg.map
  Gen-msg file:    /usr/local/snort/etc/gen-msg.map
  Daemon flag:     Not Set
  Localtime flag:  Set
Program Variables:
  Continual processing mode
  Config dir:    /usr/local/barnyard/etc
  Config file:   /usr/local/barnyard/etc/barnyard.conf
  Sid-msg file:  /usr/local/snort/etc/sid-msg.map
  Gen-msg file:  /usr/local/snort/etc/gen-msg.map
  Class file:    /usr/local/snort/etc/classification.config
  Hostname:      xxxxx
  Interface:     any
  BPF Filter:    
  Log dir:       /var/log/snort
  Verbosity:     6
  Localtime:     1
  Spool dir:     /var/log/snort
  Spool file:    snort.log
  Bookmark file: /var/log/snort/barnyard.waldo
  Record Number: 0
  Timet:         0
  Start at end:  0 

 - >8 - - >8 - - >8 - - >8 -

and (after Ctrl+C) with "-R" (with some extra info)

 - >8 - - >8 - - >8 - - >8 -

Starting data processing using information from bookmark file
Output plugins enabled for 'alert' records
-------------------------------------------------------
OpAcidDB configured
  Database Flavour: mysql
  Detail Level: Full
  Database Server: 192.168.x.x
  Database User: xxxxx
=======================================================
Output plugins enabled for 'log' records
-------------------------------------------------------
OpAcidDB configured
  Database Flavour: mysql
  Detail Level: Full
  Database Server: 192.168.x.x
  Database User: xxxxx
=======================================================
Output plugins enabled for 'stream_stat' records
-------------------------------------------------------
None configured
=======================================================
Barnyard Version 0.2.0 (Build 32)
Command line arguments:
  Config file:           /usr/local/barnyard/etc/barnyard.conf
  Spool dir:             /var/log/snort
  Gen-msg file:          Not specified
  Sid-msg file:          Not specified
  Class file:            Not specified
  Log dir:               Not specified
  Archive dir:           Not specified
  File base:             snort.log
  Waldo file:            /var/log/snort/barnyard.waldo
  Pid file:              Not specified
  Verbosity level:       6
  Dry run flag:          Set
  Batch mode flag:       Not Set
  Daemon flag:           Not Set
  New records only flag: Not Set
  Usage flag:            Not Set
  Version flag:          Not Set
Config file variables:
  Hostname:        xxxxx
  Interface:       any
  BPF Filter:      Not specified
  Class file:      /usr/local/snort/etc/classification.config
  Sid-msg file:    /usr/local/snort/etc/sid-msg.map
  Gen-msg file:    /usr/local/snort/etc/gen-msg.map
  Daemon flag:     Not Set
  Localtime flag:  Set
Program Variables:
  Continual processing mode
  Config dir:    /usr/local/barnyard/etc
  Config file:   /usr/local/barnyard/etc/barnyard.conf
  Sid-msg file:  /usr/local/snort/etc/sid-msg.map
  Gen-msg file:  /usr/local/snort/etc/gen-msg.map
  Class file:    /usr/local/snort/etc/classification.config
  Hostname:      xxxxx
  Interface:     any
  BPF Filter:    
  Log dir:       /var/log/snort
  Verbosity:     6
  Localtime:     1
  Spool dir:     /var/log/snort
  Spool file:    snort.log
  Bookmark file: /var/log/snort/barnyard.waldo
  Record Number: 63
  Timet:         1124719207
  Start at end:  0 

 - >8 - - >8 - - >8 - - >8 -

While barnyard running in process mode (without "-R") alert and log
files grows (so some events have place), but no events was written to
DB.
  
>> > When I use "-f snort.alert" - I get alert events in DB, but don't get
>> > payload. When I use "-f snort.log" - I don't get alert events in DB.
>>
>>
>> Ah, this may be the problem. If the rule action is "alert" then the data
>> presented to the output plugins does not include the payload. There is no
>> configuration of anything that can get around this, IIRC. You need to be
>> setting the actions to "log" if you want the payload.


-- 
Best regards,
 Igor                            mailto:ivb at ...13431...





More information about the Snort-users mailing list