[Snort-users] output plugins barnyard2

firnsy firnsy at ...14568...
Fri Dec 18 02:40:24 EST 2009


On Fri, 2009-12-18 at 12:38 +0530, Pradeep Lamabam wrote:
> thanks a lot !! 
> After reading your suggestion, i changed the commands to run
> barnyard2. It worked nicely.
> Now i can read the log files using log_tcpdump in barnyard2.conf with
> wireshark.
> 

Good to hear (read),

In short as of the 2-1.7 release there was a reasonable change in the
configuration file format to better align with that of Snort.

In addition the log_tcpdump plugin will operate as expected and will
attempt to autodetect the pcap format to write out to.


> On Thu, Dec 17, 2009 at 4:31 PM, firnsy <firnsy at ...14568...>
> wrote:
>         
>         On Thu, 2009-12-17 at 15:55 +0530, Pradeep Lamabam wrote:
>         > Location of barnyard2 files:
>         > /etc/snort/barnyard2.conf (THIS ONE I COPIED DURING
>         INSTALLATION!!)
>         > /usr/local/etc/barnyard2.conf (THIS ONE I DIDN'T GET IN
>         V1.6)
>         > /usr/local/barnyard2-1.8-beta1
>         > /usr/local/barnyard2-1.8-beta1/etc/barnyard2.conf
>         > /usr/local/barnyard2-1.8-beta1/rpm/barnyard2
>         > /usr/local/barnyard2-1.8-beta1/rpm/barnyard2.config
>         > /usr/local/barnyard2-1.8-beta1/rpm/barnyard2.spec
>         > /usr/local/barnyard2-1.8-beta1/src/barnyard2
>         > /usr/local/barnyard2-1.8-beta1/src/barnyard2.o
>         > /usr/local/barnyard2-1.8-beta1/src/barnyard2.c
>         > /usr/local/barnyard2-1.8-beta1/src/barnyard2.h
>         > /usr/local/bin/barnyard2
>         >
>         > barnyard2.conf (in /etc/snort)
>         > 1 alert_fast: /var/log/snort/barnyard2.alerts
>         > 2 output log_tcpdump: tcpdump.log
>         > 3 output database: alert, mysql, user=snort
>         password=password
>         > dbname=snort host=localhost
>         >
>         > barnyard command:
>         >  /usr/local/bin/barnyard2 -c /etc/snort/barnyard2.conf
>         > -d /var/log/snort -f snort.log
>         -w /var/log/snort/barnyard.waldo -D
>         >
>         > barnyard.waldo
>         > -rw-r--r--  1 root  root    38 2009-12-17 14:58
>         barnyard.waldo
>         > -rw-------  1 snort snort    0 2009-12-17 14:58
>         snort.log.1261042083
>         >
>         > /var/log/snort snort.log 1261042083 0
>         >
>         > The issue still is: barnyard2 is not running. checked using
>         ps-e|grep
>         > barnyard2
>         >
>         
>         
>         I see a couple of issues with your configuration ...
>         
>         barnyard2 is not running because it is likely erroring on the
>         absence of
>         "/var/log/barnyard2". It would be looking for this directory
>         due to an
>         alternative being defined in either the conf file (using
>         "config
>         logdir") or at the command line (using "-l").
>         
>         please try running barnyard with the following command:
>          /usr/local/bin/barnyard2 -c /etc/snort/barnyard2.conf
>         -l /var/log/snort
>         -d /var/log/snort -f snort.log
>         -w /var/log/snort/barnyard.waldo -D
>         
>         
>         Also please omit the "-D" option during testing so you can see
>         any
>         errors being written to stdout.
>         
>         Lastly your alerts will not have any useful information
>         assigned to them
>         as they don't contain any reference files defined in the conf
>         file.
>         Please see the supplied barnyard2.conf for a good example.
>         

Regards,

-- 
firnsy
www.securixlive.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 197 bytes
Desc: This is a digitally signed message part
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20091218/d268acf6/attachment.sig>


More information about the Snort-users mailing list