[Snort-users] Fwd: [barnyard2-users] Can get barnyard2 to read from Snort log but won't write to alert file

waldo kitty wkitty42 at ...14940...
Mon Jul 22 16:47:23 EDT 2013


On 7/22/2013 15:57, mulhern wrote:
>
>     what is the error? our crystal balls are broken and in the shop again ;)
>
> Sorry, the error is so uninformative, I figured it was just complaining about
> the syntax, but here it is:
>
> ERROR: alert_fast error in /etc/snort/barnyard2.conf (227): alert.fast

i see... all it really tells you is that the error is on line 227 in 
barnyard2.conf and what that line contains... reading your reply further, it 
doesn't say that it can't access the file for writing which appears to have been 
the cause...

>     you are not trying to get BY2 to write to the same alert file that snort is
>     writing to, are you? they should each write to their own...
>
> I think this is what I had done. I renamed the output file to something sure not
> to conflict and found it. Thanks!

found it? fixed it? if so, nice :)

> Can you throw me a hint about having barnyard delete files once read?

i don't know if it does... i've not read others saying that such was done or 
not... as i understand it, most folks keep them around for historical reasons 
and in case they need to rebuild the database(s)... it is evidence, ya know ;)

plus, i do not run barnyard ;) O:)

-- 
NOTE: No off-list assistance is given without prior approval.
       Please keep mailing list traffic on the list unless
       private contact is specifically requested and granted.




More information about the Snort-users mailing list