[Snort-users] Barnyard and log_dump

Bamm Visscher bamm.visscher at ...11827...
Tue Sep 12 17:06:27 EDT 2006


log_dump is a unified_log output plugin and you are reading
unified_alert file (-f snort.alert).

Bammkkkk


On 9/12/06, Paul Melson <pmelson at ...11827...> wrote:
> I'm trying to get barnyard-0.2.0 and snort-2.4.5 working on a new sensor.
> I'm trying to get barnyard to log with 'log_dump' output.  It looks like I
> have it configured correctly, but when events are triggered, I see a change
> in the mtime of the snort.alert.* unified files from snort as well as the
> barnyard snort-bookmark waldo file, but snort.out is never created.  I've
> verified that file permissions are not the issue.  I'm sure it's something
> stupid, but I'm stuck.  Any ideas?
>
> $ cat barnyard-deep.conf
> config daemon
> config localtime
> config hostname: convict
> config interface: eth1
> config sid-msg-map: /opt/snort/rules/sid-msg.map
> config class-file: /opt/snort/rules/classification.config
> output log_dump: /opt/barnyard/snort.out
>
> $ /opt/barnyard/barnyard -c /opt/barnyard/barnyard.conf -d
> /opt/snort/var/log/snort -f snort.alert -w /opt/barnyard/snort-bookmark -X
> /var/run/by.pid -L /opt/barnyard -vvvv -R
> Barnyard Version 0.2.0 (Build 32)
> Command line arguments:
>   Config file:           /opt/barnyard/barnyard.conf
>   Spool dir:             /opt/snort/var/log/snort
>   Gen-msg file:          Not specified
>   Sid-msg file:          Not specified
>   Class file:            Not specified
>   Log dir:               /opt/barnyard
>   Archive dir:           Not specified
>   File base:             snort.alert
>   Waldo file:            /opt/barnyard/snort-bookmark
>   Pid file:              /var/run/by.pid
>   Verbosity level:       4
>   Dry run flag:          Set
>   Batch mode flag:       Not Set
>   Daemon flag:           Not Set
>   New records only flag: Not Set
>   Usage flag:            Not Set
>   Version flag:          Not Set
> Config file variables:
>   Hostname:        snort
>   Interface:       eth1
>   BPF Filter:      Not specified
>   Class file:      /opt/snort/rules/classification.config
>   Sid-msg file:    /opt/snort/rules/sid-msg.map
>   Gen-msg file:    /opt/snort/rules/gen-msg.map
>   Daemon flag:     Not Set
>   Localtime flag:  Set
> Starting data processing using information from bookmark file
> Program Variables:
>   Continual processing mode
>   Config dir:    /opt/barnyard
>   Config file:   /opt/barnyard/barnyard.conf
>   Sid-msg file:  /opt/snort/rules/sid-msg.map
>   Gen-msg file:  /opt/snort/rules/gen-msg.map
>   Class file:    /opt/snort/rules/classification.config
>   Hostname:      snort
>   Interface:     eth1
>   BPF Filter:
>   Log dir:       /opt/barnyard
>   Verbosity:     4
>   Localtime:     1
>   Spool dir:     /opt/snort/var/log/snort
>   Spool file:    snort.alert
>   Bookmark file: /opt/barnyard/snort-bookmark
>   Record Number: 36
>   Timet:         1158033662
>   Start at end:  0
> Output plugins enabled for 'alert' records
> -------------------------------------------------------
> None configured
> =======================================================
> Output plugins enabled for 'log' records
> -------------------------------------------------------
> OpLogDump configured
>   Filename: /opt/barnyard/snort.out
> =======================================================
> Output plugins enabled for 'stream_stat' records
> -------------------------------------------------------
> None configured
> =======================================================
>
> Thanks,
> PaulM
>
>
>
> -------------------------------------------------------------------------
> Using Tomcat but need to do more? Need to support web services, security?
> Get stuff done quickly with pre-integrated technology to make your job easier
> Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
> http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>


-- 
sguil - The Analyst Console for NSM
http://sguil.sf.net




More information about the Snort-users mailing list