[Snort-users] Lets talk about ....
peter.bates at ...15381...
Sun Oct 7 05:23:54 EDT 2012
-----BEGIN PGP SIGNED MESSAGE-----
On 07/10/2012 03:42, PR wrote:
> 1. isnt barnyard2 supposed to be able to allow you to view the
> sigs/data or just does it say ICMP yadda...
If snort is generating unified2 data in snort.log, you can use
u2spewfoo snort.log.x to read the contents.
If your snort.conf is also doing fast alerting then you'll have the
hits in 'alert' as well.
> 2. do need to do anything with my snort.rules, like cat snort.rules
> >> local.rules ??
This seems to have been asked about a few times recently.
You need to
in your snort.conf.
There's an argument for Snort perhaps coming either with a default set
of rules or to have all the include lines except for local.rules
> 3. how do i get data from barnyard2 to my db to view in a pretty
> browser GUI like base or snortreport, or jpgraph?
Barnyard2 should be putting the alerts into your DB if correctly
configured, see for example:
mysql snort -u snort -p
select count(*) from event;
If the count is increasing then your alerts are going into the DB.
The last time I set up a box from scratch I found the Debian HOWTO
from snort.org to be the most clear on different steps:
PulledPork downloads the rules and also reads your snort.conf
for paths where to put things like Shared Object files, etc.
It then either outputs to individual rules which you need to include
individually as 'include' in snort.conf or as a single file.
Snort then runs and writes the unified2 logfiles.
Barnyard2 waits to see u2 files appearing in the place you designate
as input and then does its job as output processor - generally
outputting to DB as the simpler outputs Snort can still do itself.
Rule manager -> IDS -> Output processor -> Alert front-end
Lousy ASCII flowchart, I know.
Senior Computer Security Officer Phone: +44(0)2076792049
Information Services Division Internal Ext: 32049
University College London
London WC1E 6BT
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (Darwin)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/
-----END PGP SIGNATURE-----
More information about the Snort-users