[Snort-users] data base

waldo kitty wkitty42 at ...14940...
Fri Jul 26 05:36:37 EDT 2013

On 7/26/2013 05:05, Abid Ayoub wrote:
> Hi,
> Thank you for the answer.
> ok , so i should run barnyard2 then run snort. In this case, branyard2 will
> detect the new generated file by snort and put the data into snort data base. is
> this right ?

yes... you should be able to execute them in either order... i don't believe 
that is critical...

> you mention "unified2 log file" , is this the gnerated file by snort ? for
> examlpe snort.log.1374827257 ?

the name depends on your configuration... by default (and with -A full -b) snort 
creates a text file of all the alerts named alert and it creates a new 
snort.log.xxxxxxxxxx for each session... these snort.log.xxxxxxxxxx files are 
actually pcaps of the data that caused snort to raise the alerts...

> So when i run  the following command :
> /usr/local/bin/barnyard2 -c /usr/local/snort/etc/barnyard2.conf -d
> /var/log/snort -f snort.u2 -w /var/log/snort/barnyard2.waldo

previously and now, when i see the "-f snort.u2" portion, i'm guessing that that 
indicates which base file name BY2 is to read and process...

> snort.u2 is the genrated file, read by barnyard2 from te directrory /var/log/snort ?
> should i mention other options in barnyard2 command ?

if my guess above is accurate, you have at least this in your snort config...

   output unified2: filename snort.u2

you may have additional parameters enhancing it... this results in files named 
snort.u2.xxxxxxxxxx in your snort log directory... those are the unified2 log 
files... one for each session that snort is executed...

FWIW: snort.u2 is the base file name and the .xxxxxxxxxx (10 digits) are the 
unix timestamp of when the file was created ;)

> Thanks a lot
> Abid
> 2013/7/24 waldo kitty <wkitty42 at ...14940... <mailto:wkitty42 at ...14940...>>
>     On 7/24/2013 05:45, Abid Ayoub wrote:
>      > Hello,
>      > i want to save the sniff result in a data base.
>      > So , how can i do that when i have a lot of traffic?
>      > Soll i use barnyard2 , i didn´t understand why should i use it and what for ?
>     barnyard2 reads the snort unified2 log file and puts the data into the database
>     for you... barnyard2 handles all the database communication... before, when
>     snort tried to do it, snort could get hung up waiting on the database to
>     respond... during that period, traffic would be lost to snort and it could not
>     analyze it... since the alerts and evidence are written to the unified2 log,
>     barnyard2 can put it in the database when possible... if the database is down
>     for some reason, barnyard2 will wait for the database to come back and then
>     continue to put the data in... all this time, snort is still analyzing the
>     traffic and no data is lost...
>     does that answer your questions?

NOTE: No off-list assistance is given without prior approval.
       Please keep mailing list traffic on the list unless
       private contact is specifically requested and granted.

More information about the Snort-users mailing list