[Snort-users] barnyard2, syslog and pulling the packet data

Ran Regev ran_r at ...17068...
Mon Jan 19 03:30:47 EST 2015


Hello everyone,

This is the requirement:
>From a syslog message that describes an alert to be able to grab the entire
packet that caused this alert.

I thought of few ways to do this, and after considering other requirements
as well, came to the conclusion that I would like to work in this way:

1. snort output to unified2 files.
2. barnyard2 reads the files and takes two outputs:
a. syslog.
b. database.

Based on the information in the syslog message, I'll be able to correlate
between the message and the saved event.

As far as I understand, the correlation should be done using sid and cid.
However, I can't find them in the syslog message.

Am I missing something?

Ran.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20150119/8a6fee54/attachment.html>


More information about the Snort-users mailing list