[Snort-users] problems with barnyard, snort and mysql

Alejandro Flores alejandrorflores at ...11827...
Fri Mar 11 13:54:53 EST 2005


Hey,

snort.conf:
output log_unified: filename /var/log/snort/snort.log, limit 128

barnyard.conf:
output alert_acid_db: mysql, database DBNAME server localhost,
sensor_id 1, user DBUSER, password DBPASS

Start Barnyard:
barnyard -c /etc/barnyard.conf -d /var/log/snort -a
/var/log/snort-archive -f snort.log -w /var/log/snort/waldo -s
/etc/snort/sid-msg.map -g /etc/snort/gen-msg.map -p
/etc/snort/classification.config -D

Start Snort with no '-A' and '-b' options. (for example:)
snort -C -d -c /etc/snort/snort.conf -i IF_YOURE_LISTENING_TO -D

Ok, now just relax and wait. 
Next, install BASE to analyse data.
http://secureideas.sourceforge.net/

Have fun,
Alejandro Flores

> Hey everyone,
> 
> I already posted his on the forums but I noticed that I was accepted
> into the mailing list so I will also write it here as well, never hurts
> to cover all of your bases ;D. I am configuring a server that is using
> snort to examine traffic that would normally be deleted. By that, I mean
> traffic who's IP does not resolve to a valid location. We are using this
> information to detect possible users with virus on their machines. My
> question is what is a good configuration for Snort and Barnyard to work
> with MySQL. All the information I really need in the database is the
> source IP and port, destination IP and port, and the time that the
> packet was received. I am guessing that the '-A fast' option will take
> care of that part. So what should I have snort log too, what should
> barnyard pickup, and how do I export it to the database? I have tried a
> few different ways and I haven't had any luck. Thanks in advance for any
> solutions to my problem.




More information about the Snort-users mailing list