[Snort-users] need help configuring snort + barnyard

Igor Belikov ivb at ...13431...
Thu Oct 20 00:20:11 EDT 2005


Hello Chris,

Wednesday, October 19, 2005, 7:31:05 PM, you wrote:

CE> |   I configured snort to write both alert and log files in unified
CE> |   format. But I can't configure barnyard properly to store in DB
CE> |   detailed info about alerts.
CE> | 
CE> |   Barnyard "watch" alert files and stores info about alerts, but I
CE> |   need also store whole packets caused alert.

CE> It seems you don't need to have snort write both unified files.  All the
CE> required info seems to be in the unified "log" file, so this is what you
CE> want barnyard to read.  It's not at all clear to us what info is in the
CE> unified "alert" file that's not *also* in the unified "log" file.  So we
CE> don't write a unified "alert" file at all.

It's sounds good, but I still can't configure snort + barnyard.

Last configs:

  - snort:

output log_unified: filename snort.log, limit 128

  - barnyard:

output log_acid_db: mysql, sensor_id 1, database snort, server x.x.x.x, user xxxxx, password xxxxx, detail full

In /log directory I see "snort.log.<timestamp>", "barnyard.waldo"
(with correct link to snort.log) and "alert" (with alerts produced by
snort).

Watching log files I see that barnyard works (link in waldo file
follows growing snort.log), but I don't get any new alerts in DB.

Using previous variant of configs (using unified alert) barnyard put
all alerts in DB.

Please, point me where I make mistake.

-- 
Best regards,
 Igor                            mailto:ivb at ...13431...





More information about the Snort-users mailing list