[Snort-users] problems with barnyard, snort and mysql

Kevin Smith kjsmith at ...13166...
Fri Mar 11 14:13:33 EST 2005

Hey Alejandro,

I used what you wrote to me and I am getting this for an error:

WARNING /usr/local/src/barnyard-0.2.0/etc/barnyard.conf(127) => Unknown 
output plugin "alert_acid_db" referenced, ignoring!Fatal Error, Quitting..

I guess my next question would be where do I define that output plug-in. 
Thanks for your reply.


Alejandro Flores wrote:

>output log_unified: filename /var/log/snort/snort.log, limit 128
>output alert_acid_db: mysql, database DBNAME server localhost,
>sensor_id 1, user DBUSER, password DBPASS
>Start Barnyard:
>barnyard -c /etc/barnyard.conf -d /var/log/snort -a
>/var/log/snort-archive -f snort.log -w /var/log/snort/waldo -s
>/etc/snort/sid-msg.map -g /etc/snort/gen-msg.map -p
>/etc/snort/classification.config -D
>Start Snort with no '-A' and '-b' options. (for example:)
>snort -C -d -c /etc/snort/snort.conf -i IF_YOURE_LISTENING_TO -D
>Ok, now just relax and wait. 
>Next, install BASE to analyse data.
>Have fun,
>Alejandro Flores
>>Hey everyone,
>>I already posted his on the forums but I noticed that I was accepted
>>into the mailing list so I will also write it here as well, never hurts
>>to cover all of your bases ;D. I am configuring a server that is using
>>snort to examine traffic that would normally be deleted. By that, I mean
>>traffic who's IP does not resolve to a valid location. We are using this
>>information to detect possible users with virus on their machines. My
>>question is what is a good configuration for Snort and Barnyard to work
>>with MySQL. All the information I really need in the database is the
>>source IP and port, destination IP and port, and the time that the
>>packet was received. I am guessing that the '-A fast' option will take
>>care of that part. So what should I have snort log too, what should
>>barnyard pickup, and how do I export it to the database? I have tried a
>>few different ways and I haven't had any luck. Thanks in advance for any
>>solutions to my problem.
>SF email is sponsored by - The IT Product Guide
>Read honest & candid reviews on hundreds of IT Products from real users.
>Discover which products truly live up to the hype. Start reading now.
>Snort-users mailing list
>Snort-users at lists.sourceforge.net
>Go to this URL to change user options or unsubscribe:
>Snort-users list archive:
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20050311/75ddb692/attachment.html>

More information about the Snort-users mailing list