[Snort-users] barnyard2, syslog and pulling the packet data
ran_r at ...17068...
Mon Jan 19 03:30:47 EST 2015
This is the requirement:
>From a syslog message that describes an alert to be able to grab the entire
packet that caused this alert.
I thought of few ways to do this, and after considering other requirements
as well, came to the conclusion that I would like to work in this way:
1. snort output to unified2 files.
2. barnyard2 reads the files and takes two outputs:
Based on the information in the syslog message, I'll be able to correlate
between the message and the saved event.
As far as I understand, the correlation should be done using sid and cid.
However, I can't find them in the syslog message.
Am I missing something?
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-users