[Snort-users] Problem with barnyard 0.2.0 and snort 2.4.0
jason.brvenik at ...1935...
Mon Sep 19 09:01:07 EDT 2005
eric-list-snort-users at ...11523... wrote:
> It seems I have a problem with barnyard 0.2.0 and snort 2.4.0 on OpenBSD
> 3.6. I have configured snort to write a unified log to
> /var/snort/log/snort.log with the following....
> output log_unified: snort.log, limit 128
> files are being written, as witnessed by the following....
> $ ls -l /var/snort/log
> -rw-r--r-- 1 root _snort 5967 Aug 19 19:58 snort-unified.log.1124485688
> -rw-r--r-- 1 root _snort 9150 Aug 19 20:29 snort-unified.log.1124499689
> -rw-r--r-- 1 root _snort 46069 Aug 19 23:45 snort-unified.log.1124510258
> -rw-r--r-- 1 root _snort 18878 Aug 20 00:27 snort-unified.log.1124513157
> I'm starting snort in the following manner...
> # /var/snort/bin/snort -c /var/snort/etc/snort.conf \
> -l /var/snort/log -F /var/snort/etc/snort.pcap -D
> So everything is working there fine. Signatures are triggered on.
> My barnyard.conf is as follows...
> config localtime
> config hostname: gw1
> config interface: bridge0
> config filter: not port 22
> output log_acid_db: mysql, database snort, server 10.19.81.137,
> user foo, password bar, detail full [wrapped for clarity]
Optional for debugging:
output alert_csv: /var/log/snort/csv.out
remove config localtime - it will prove challenging during timewarps
> Next I start barnyard in the following manner...
> # /var/snort/bin/barnyard -c /var/snort/etc/barnyard.conf \
> -s /var/snort/etc/sid-msg.map -g /var/snort/etc/gen-msg.map \
> -p /var/snort/etc/classification.config -d /var/snort/log \
> -f snort.log -w /var/snort/log/snort_ids.log
change that to
/var/snort/bin/barnyard -c /var/snort/etc/barnyard.conf \
-s /var/snort/etc/sid-msg.map \
-g /var/snort/etc/gen-msg.map \
-p /var/snort/etc/classification.config \
-d /var/snort/log \
-f snort-unified.log \
note that -f and -w are changed.
More information about the Snort-users