[Snort-users] Barnyard2 configuration and event generation

beenph beenph at ...11827...
Wed Dec 19 12:22:58 EST 2012


On Wed, Dec 19, 2012 at 11:38 AM, Steve Marotta <smarotta at ...16014...> wrote:
>
> I'm using Barnyard2 to read Snort unified log files and generate some
text log of events found in those logs.
> The problem is, all I'm getting is that there's a bunch of TCP packets. I
was hoping for more specific information like
> ARP, HTTP, event/transaction information, that sort of thing. Snort
seemed to have things categorized nicely, but I
> couldn't see the specific event list. All I want is a text log with
detailed, specific events that give an idea of what is going on.
>
> The command I'm running to read the logs is:
> barnyard2 -c /usr/local/snort/etc/barnyard2.conf -o
test-attack1.snort.u2.1355871919
>
> Is there another option I should try?
>
>

Well the event that you will get are the events that are in your source
unified2 file.

A event is linked to a signature so depending on your signature, you will
have the
triggering packet or packets logged to the unified2 file.

If you use barnyard2 alert fast output you will mainly see, the signature
time,
signature message, source and destination, but you will not see the payload.

I would suggest that mabey you use output database and use a frontend like
Snorby or BASE to better visualise the content of events.

The syslog output could also be something you might want to look.

You can also allways use two tools that comes with snort:
- u2spewfoo visualise the content of a unified2 file
- u2boat to extract packets from unified2 file

-elz






>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20121219/5d5b9fd9/attachment.html>


More information about the Snort-users mailing list