[Snort-users] Barnyard2 to remote server

Martin Holste mcholste at ...11827...
Sat Aug 27 12:06:32 EDT 2011


Just have Snort or Barnyard output as syslog and have the syslog
server be your custom node.  Parsing syslog is trivial, and you can
the apply your HTML5 wrapper around it.  This will be the best
solution because you do not need to customize Snort or Barnyard--they
can be stock installations.  All of the custom code will be on your
custom node.

On Sat, Aug 27, 2011 at 9:54 AM, Sherman Boyd <sherman at ...15372...> wrote:
>>>Your objective is to send "alert_fast" type events over the network to
>>>your remote system running on 192.168.9.1:1212.
>>>What service is running on that port and what type of input it is expecting?
>
> The service will be a custom node.js application, so the type of input
> can really be whatever.  I imagine that ASCII "alert_fast" type input
> will be way easier to parse than snort unified.
>
> Best regards,
>
> Sherman Boyd
>
>
>
>
>
>
> On Sat, Aug 27, 2011 at 12:18 AM, beenph <beenph at ...11827...> wrote:
>> On Sat, Aug 27, 2011 at 2:15 AM, Sherman Boyd <sherman at ...15372...> wrote:
>>> Hi,
>>>
>>> I'm working on a realtime visualization project for snort.  I'd like
>>> snort to pump all it's data over tcp/ip to a remote server, running
>>> custom node server that parcels out each event to an html5 server.   I
>>> don't want to use SQL, but other than that I'm pretty flexible with
>>> how the data is encapsulated.  Is there an existing barnyard2 plugin
>>> that will meet my needs?  Do I need to write a custom by2 output
>>> plugin?  Or is there a way to pump the data out directly from snort?
>>>
>>> To put it another way, I'm looking for alert_fast, except I don't want
>>> to write to a file I want to send it to 192.168.9.1:1212.
>>>
>>>
>>
>> Your objective is to send "alert_fast" type events over the network to
>> your remote system running on 192.168.9.1:1212.
>> What service is running on that port and what type of input it is expecting?
>>
>> If you need a specialized output mode, then you might base your self
>> on an the already existing output plugin
>> and add the code you need, or has you mentionned write your own output
>> plugin from ground up.
>>
>> Do not hesitate to join our barnyard2 Mailinglist (google group)
>> -elz
>>
>
> ------------------------------------------------------------------------------
> EMC VNX: the world's simplest storage, starting under $10K
> The only unified storage solution that offers unified management
> Up to 160% more powerful than alternatives and 25% more efficient.
> Guaranteed. http://p.sf.net/sfu/emc-vnx-dev2dev
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!
>




More information about the Snort-users mailing list