[Snort-users] data base

waldo kitty wkitty42 at ...14940...
Fri Jul 26 14:43:00 EDT 2013

On 7/26/2013 07:30, Abid Ayoub wrote:
> Hi
> Thanks a lot , this is clear now.
> So , barnyard2 will save in the data base only the alert ? can i make a
> configuration to tell barnyard to save all the traffic ?

i don't understand... save all what traffic? BY2 can only save what snort puts 
in the unified2 log file... snort only puts in the unified2 log file that 
traffic which causes it to raise an alert based on the rules employed...

> Thanks
> Abid
> 2013/7/26 waldo kitty <wkitty42 at ...14940... <mailto:wkitty42 at ...14940...>>
>     On 7/26/2013 05:05, Abid Ayoub wrote:
>      > Hi,
>      >
>      >
>      > Thank you for the answer.
>      > ok , so i should run barnyard2 then run snort. In this case, branyard2 will
>      > detect the new generated file by snort and put the data into snort data
>     base. is
>      > this right ?
>     yes... you should be able to execute them in either order... i don't believe
>     that is critical...
>      > you mention "unified2 log file" , is this the gnerated file by snort ? for
>      > examlpe snort.log.1374827257 ?
>     the name depends on your configuration... by default (and with -A full -b) snort
>     creates a text file of all the alerts named alert and it creates a new
>     snort.log.xxxxxxxxxx for each session... these snort.log.xxxxxxxxxx files are
>     actually pcaps of the data that caused snort to raise the alerts...
>      > So when i run  the following command :
>      > /usr/local/bin/barnyard2 -c /usr/local/snort/etc/barnyard2.conf -d
>      > /var/log/snort -f snort.u2 -w /var/log/snort/barnyard2.waldo
>     previously and now, when i see the "-f snort.u2" portion, i'm guessing that that
>     indicates which base file name BY2 is to read and process...
>      > snort.u2 is the genrated file, read by barnyard2 from te directrory
>     /var/log/snort ?
>      > should i mention other options in barnyard2 command ?
>     if my guess above is accurate, you have at least this in your snort config...
>         output unified2: filename snort.u2
>     you may have additional parameters enhancing it... this results in files named
>     snort.u2.xxxxxxxxxx in your snort log directory... those are the unified2 log
>     files... one for each session that snort is executed...
>     FWIW: snort.u2 is the base file name and the .xxxxxxxxxx (10 digits) are the
>     unix timestamp of when the file was created ;)

NOTE: No off-list assistance is given without prior approval.
       Please keep mailing list traffic on the list unless
       private contact is specifically requested and granted.

More information about the Snort-users mailing list