[Snort-users] Barnyard: Syslog output FAIL!

Nick Moore nmoore at ...1935...
Fri Nov 13 13:25:32 EST 2009


Wilson,

I covered this in my setup guides on Snort.org. Please download either  
the Fedora or Ubuntu version and give it a shot.

Sent from my mobile device.

Nick Moore
Phone 708-336-9041
Email nmoore at ...14707...


On Nov 13, 2009, at 10:57, "Chan, Wilson" <wchan at ...14702...> wrote:

> Is there any howto's on getting barnyard2 working? I tried google  
> and didn't seem to find any complete configs and templates on  
> getting barnyard2 working with mysql and syslog.
>
>
> ----- Original Message -----
> From: Jason Wallace <jason.r.wallace at ...11827...>
> To: snort-users at lists.sourceforge.net <snort-users at lists.sourceforge.net 
> >
> Sent: Fri Nov 13 04:26:26 2009
> Subject: Re: [Snort-users] Barnyard: Syslog output FAIL!
>
> I would recommend having snort output using the unified2 format and
> use barnyard2 http://www.securixlive.com/barnyard2/download.php
>
> The unified2 format has both the alert and log information in one file
> so you only need one instance of barnyard2. The original barnyard is
> outdated, unmaintained, and does not support unified2. You're not
> likely to get a lot of help using the original version of barnyard.
>
> On Thu, Nov 12, 2009 at 9:37 PM, Chan, Wilson <wchan at ...14702...>  
> wrote:
>> Why is barnyard not outputting to syslog? Configurations below:
>>
>>
>>
>> What is driving me nuts is when I run in batch mode for snort.log  
>> nothing
>> happens on syslog but as soon as I run batch mode in alert it get  
>> output.
>> How do you get syslog to report on the snort.log files in daemon  
>> mode?
>>
>>
>>
>> barnyard -o snort.log.1258079148 –v
>>
>> barnyard -o snort.alert.1258079148 -v
>>
>>
>>
>> ==barnyard.conf==
>>
>> config daemon
>>
>> config localtime
>>
>> config hostname: snort-test-laptop
>>
>> config interface: eth2
>>
>> output log_dump
>>
>> output alert_syslog: LOG_LOCAL4 LOG_ALERT
>>
>>
>>
>> ==/etc/syslog.conf==
>>
>> #Output logs from Barnyard to Syslog Server (remote)
>>
>> local4.*                                         @192.168.1.1
>>
>>
>>
>>
>>
>> Wilson
>>
>>
>>
>> --- 
>> --- 
>> --- 
>> ---------------------------------------------------------------------
>> Let Crystal Reports handle the reporting - Free Crystal Reports  
>> 2008 30-Day
>> trial. Simplify your report design, integration and deployment -  
>> and focus
>> on
>> what you do best, core application coding. Discover what's new with
>> Crystal Reports now.  http://p.sf.net/sfu/bobj-july
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>
>
> --- 
> --- 
> --- 
> ---------------------------------------------------------------------
> Let Crystal Reports handle the reporting - Free Crystal Reports 2008  
> 30-Day
> trial. Simplify your report design, integration and deployment - and  
> focus on
> what you do best, core application coding. Discover what's new with
> Crystal Reports now.  http://p.sf.net/sfu/bobj-july
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> --- 
> --- 
> --- 
> ---------------------------------------------------------------------
> Let Crystal Reports handle the reporting - Free Crystal Reports 2008  
> 30-Day
> trial. Simplify your report design, integration and deployment - and  
> focus on
> what you do best, core application coding. Discover what's new with
> Crystal Reports now.  http://p.sf.net/sfu/bobj-july
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

Sent from my mobile device.

Nick Moore
Phone 708-336-9041
Email nmoore at ...14707...


On Nov 13, 2009, at 10:57, "Chan, Wilson" <wchan at ...14702...> wrote:

> Is there any howto's on getting barnyard2 working? I tried google  
> and didn't seem to find any complete configs and templates on  
> getting barnyard2 working with mysql and syslog.
>
>
> ----- Original Message -----
> From: Jason Wallace <jason.r.wallace at ...11827...>
> To: snort-users at lists.sourceforge.net <snort-users at lists.sourceforge.net 
> >
> Sent: Fri Nov 13 04:26:26 2009
> Subject: Re: [Snort-users] Barnyard: Syslog output FAIL!
>
> I would recommend having snort output using the unified2 format and
> use barnyard2 http://www.securixlive.com/barnyard2/download.php
>
> The unified2 format has both the alert and log information in one file
> so you only need one instance of barnyard2. The original barnyard is
> outdated, unmaintained, and does not support unified2. You're not
> likely to get a lot of help using the original version of barnyard.
>
> On Thu, Nov 12, 2009 at 9:37 PM, Chan, Wilson <wchan at ...14702...>  
> wrote:
>> Why is barnyard not outputting to syslog? Configurations below:
>>
>>
>>
>> What is driving me nuts is when I run in batch mode for snort.log  
>> nothing
>> happens on syslog but as soon as I run batch mode in alert it get  
>> output.
>> How do you get syslog to report on the snort.log files in daemon  
>> mode?
>>
>>
>>
>> barnyard -o snort.log.1258079148 –v
>>
>> barnyard -o snort.alert.1258079148 -v
>>
>>
>>
>> ==barnyard.conf==
>>
>> config daemon
>>
>> config localtime
>>
>> config hostname: snort-test-laptop
>>
>> config interface: eth2
>>
>> output log_dump
>>
>> output alert_syslog: LOG_LOCAL4 LOG_ALERT
>>
>>
>>
>> ==/etc/syslog.conf==
>>
>> #Output logs from Barnyard to Syslog Server (remote)
>>
>> local4.*                                         @192.168.1.1
>>
>>
>>
>>
>>
>> Wilson
>>
>>
>>
>> --- 
>> --- 
>> --- 
>> ---------------------------------------------------------------------
>> Let Crystal Reports handle the reporting - Free Crystal Reports  
>> 2008 30-Day
>> trial. Simplify your report design, integration and deployment -  
>> and focus
>> on
>> what you do best, core application coding. Discover what's new with
>> Crystal Reports now.  http://p.sf.net/sfu/bobj-july
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>
>
> --- 
> --- 
> --- 
> ---------------------------------------------------------------------
> Let Crystal Reports handle the reporting - Free Crystal Reports 2008  
> 30-Day
> trial. Simplify your report design, integration and deployment - and  
> focus on
> what you do best, core application coding. Discover what's new with
> Crystal Reports now.  http://p.sf.net/sfu/bobj-july
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> --- 
> --- 
> --- 
> ---------------------------------------------------------------------
> Let Crystal Reports handle the reporting - Free Crystal Reports 2008  
> 30-Day
> trial. Simplify your report design, integration and deployment - and  
> focus on
> what you do best, core application coding. Discover what's new with
> Crystal Reports now.  http://p.sf.net/sfu/bobj-july
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users




More information about the Snort-users mailing list