[Snort-users] Load alerts read from file to database
paul at ...17768...
Mon Feb 6 18:28:37 EST 2017
Thanks Al for the hints. Much appreciated. After Snort read a file, all
the alerts are in a snort.log.xxxxx file. I tried to set up barnyard2 read
snort.log as the base from the command line as the following:
sudo barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f snort.log
-w /var/log/snort/barnyard2.waldo -g snort-user -u snort-pass
But looks like barnyard2 is still reading the snort.u2 base file. here's
c&p the messages from the console:
Using waldo file '/var/log/snort/barnyard2.waldo':
spool directory = /var/log/snort
spool filebase = snort.u2
time_stamp = 1486185613
record_idx = 0
Opened spool file '/var/log/snort/snort.u2.1486185613'
------console output end-----
Tried to edit barnyard2.waldo, but looks like it's a binary file. Is there
a way to make barnyard2 read snort.log.xxxxx instead of snort.u2.xxxxx?
On Sat, Feb 4, 2017 at 6:10 PM, Al Lewis (allewi) <allewi at ...589...> wrote:
> Are the alert files in unified2 format?
> You may want to look here for some more info on barnyard.
> *Albert Lewis*
> ENGINEER.SOFTWARE ENGINEERING
> SOURCE*fire*, Inc. now part of *Cisco*
> Email: allewi at ...589...
> From: Paul Li <paul at ...17768...>
> Date: Saturday, February 4, 2017 at 1:05 AM
> To: 'snort-users' <snort-users at lists.sourceforge.net>
> Subject: [Snort-users] Load alerts read from file to database
> I'm using Snort to read a file and Snort generates alerts. But when tried
> using Barnyard2 load these alerts to database, no alerts were loaded. Is
> there any configuration I should change to make it work, or Barnyard2
> doesn't support loading alerts from files?
> (When Snort generates alerts from monitoring a networking interface,
> Barnyard successfully loaded alerts to the database.)
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-users