[Snort-users] Fwd: Re: barnyard2-1.10 major problem

Lawrence R. Hughes, Sr. lhughes at ...14822...
Thu Oct 25 10:00:41 EDT 2012


Beenph,

barnyard2-1.10 command line:
    /smlog/barnyard2/bin/barnyard2 -eDUqc 
/smlog/barnyard2/etc/barnyard2.conf --alert-on-each-packet-in-stream --pid-path 
/smlog/ -l /smlog/logs/barnyard2 -d /smlog/logs -f snort.log -w 
/smlog/logs/snort.waldo &
 snort.conf:
    output unified2: filename snort.log, limit 128

Thanks,
Larry


----- Original Message ----- 
From: "beenph" <beenph at ...11827...>
To: "Lawrence R. Hughes, Sr." <lhughes at ...14822...>
Cc: "Jack" <kingofnerds at ...11827...>; <barnyard2-users at ...14071...>; 
"snort-users" <snort-users at lists.sourceforge.net>
Sent: Thursday, October 25, 2012 9:48 AM
Subject: Re: [Snort-users] Fwd: Re: barnyard2-1.10 major problem


> On Thu, Oct 25, 2012 at 9:40 AM, Lawrence R. Hughes, Sr.
> <lhughes at ...14822...> wrote:
>> Beenph,
>>
>> As you suggested yesterday to add the following:
>>
>>
>> "add  --alert-on-each-packet-in-stream in your barnyard2 command line
>> and it will work as expected."
>>
>> This does not work, I have a unified2 file from snort that has 4 packets
>> along with the alert, but barnyard2-1.10 is only inserting the first 
>> packet
>> into the snort.data table???
>>
>
> Whats is the barnyard2 command line do you use?
>
> Also what is your unified2 output configuration in snort.conf?
>
>
>
>> So far we have increased the CACHED_EVENTS_MAX  from 512 to 2048 and 
>> again
>> to 4096  (did not help)
>> added: --alert-on-each-packet-in-stream to barnyard2 command line (did 
>> not
>> help).
>>
>> What do you suggest now to get barnyard2-1.10 to work as you say it 
>> should?
>> BTW it never worked in barnyard2-1.8 either.
>>
> I can't say for 2-1.8.
>
> -elz
> 





More information about the Snort-users mailing list